One of the scenario’s we can build with Conditional Access, is the scenario where we restrict access inside the web application itself. By doing so, you could for example limit the functionality of the web applications on non-managed devices, or when accessing the web application from a country where your company normally doesn’t operate. The web applications can be configured to behave differently if the user is applicable for a Conditional Access policy where App Enforced restrictions are configured.

Within the Office 365 suite of applications, the following web applications are supported for App Enforced Restrictions:

  • Outlook Web Access
  • SharePoint and OneDrive

In this post I will go into detail on how to setup these app enforced restriction and what the expected behavior will be from an end-user perspective.

Configure Outlook Web Access for limited access via App Enforced Restrictions

Before you can enable Conditional Access App Enforced Restrictions you first need to enable the feature in the default OWA mailbox policy, since by default this functionality is turned off, this can be done using the Set-OwaMailBoxPolicy cmdlet as part of the Exchange Online PowerShell module.

First request the current status of the OWA mailbox policy by executing the following command: Get-OwaMailBoxPolicy |select-object ConditionalAccess*. This command will return the current status of the ConditionalAccessPolicy (On or Off) and the ConditionalAccessFeatures.

If the ConditionalAccessPolicy is set to Off, you can enable the functionality which allows for restrictions when used in combination with a Conditional Access App Enforced Restriction policy. You have either the option to configure the policy in two modes:

  • ReadOnly, where users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers
  • ReadOnlyPlusAttachmentsBlocked, in the ReadOnly setting viewing attachments in the browser is possible, when using this setting viewing attachments in the browser is blocked.

In this example we are going to enable the ConditionalAccessPolicy in the OWA Mailbox Policy and use the ReadOnly mode, this can be accomplished by executing the following command: Set-OwaMailbBoxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

After executing the command make sure that you check whether the setting was succesfull by executing the Get-OwaMailBoxPolicy |select-object ConditionalAccess* command again and check whether the ConditionalAccessPolicy is set to ReadOnly

Machine generated alternative text:
Windows PowerSheII 
PS C: Get-Owamai180xPoIicy 
onditionaIAccessPoIicy ConditionalAccessFeatures 
PS C: Set-Owamai180xPoIicy 
PS C: Get-Owamai180xPoIicy 
onditionaIAccessPoIicy ConditionalAccessFeatures 
select- object ConditionalAccess* 
-Identity OwamaiIboxPoIicy-DefauIt 
I select-object ConditionalAccess* 
-ConditionalAccessPoIicy 
ReadOnIy 
AttachmentDirectFiIeAccessOnP... 
ReadOnIy 
PS C: 
{Offline, AttachmentDirectFiIeAccessOnPrivateComputersEnabIed,
Set Conditional Access options in OWA Mailbox Policy using PowerShell

Configure SharePoint Online and OneDrive for limited access via App Enforced Restrictions

SharePoint Online and OneDrive can be configured in several ways. The first option is to set a Global setting which becomes effective for all SharePoint Online and OneDrive sites in your environment, and the Per site option allows you to specify options per site.

Global settings

The Global or organizational-wide settings can be configured from the SharePoint admin center (https://<tenantname>-admin.sharepoint.com). In the SharePoint Admin center select Policies | Access Control and select Unmanaged devices.

By default, for unmanaged devices the option “Allow full access from desktop apps, mobile apps, and the web” is selected, and by modifying the option to either “Allow limited, web-only access” or “Block access” you configure limited access for your whole environment.

Machine generated alternative text:
Unmanaged devices 
(D We will automatically change the "Apps that don't use modern authentication" setting to block 
access (because these apps can't enforce this device-based restriction). 
The setting you select here will apply to all users in your organization. Learn more. To 
customize conditional access policies, save your selection and go to the Azure AD admin 
center. 
O Allow full access from desktop apps, mobile apps, and the web 
O Allow limited, web-only access 
O 
Block access 
If you don't want to limit or block access organization-wide, you can do so for specific 
sites. Learn how 
Cancel 
x
Unmanaged devices behavior settings from SharePoint Admin Center

If you configure the unmanaged devices settings, 2 new Conditional Access policies will be created. While I’m not a big fan of letting a setting like create the Conditional Access policies for you, they do provide some valuable information. I would therefore suggest to let the wizard create them, and that you turn them off immediately after creation. Keep in mind that if you are playing with these, it might be that several Conditional Access policies are created (one per day, since the day when created in defined in the name)

Machine generated alternative text:
[Share?oint admin centerlBlock access from apps on unmanaged devices - 2020-06-25 
[SharePoint admin centerlUse app-enforced Restrictions for browser access - 2020-06-25
Automatically created Conditional Access Policies

The first one “[SharePoint admin center]Block access from apps on unmanaged devices – 2020-06-25” has the following properties

Name[SharePoint admin center]Block access from apps on unmanaged devices – 2020-06-25
Assignments
Users and GroupsAll Users
Cloud apps or actionsOffice 365 SharePoint Online
Conditions
Client AppsModern Authentication Clients
Access controls
GrantRequire device to be marked as compliant OR Require Hybrid Azure AD joined device

So, to summarize this policy grants access to either Compliant Azure AD joined devices or Hybrid joined (AD joined, Azure AD registered) devices when the client supports Modern Authentication while accessing SharePoint Online.

So having clients which support Modern Authentication is crucial for this, I’ve already written a lot more on this topic for which you can find the latest information here: “May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet”

The second one “[SharePoint admin center]Use app-enforced Restrictions for browser access – 2020-06-25” has the following properties

NameUse app-enforced Restrictions for browser access – 2020-06-25
Assignments
Users and GroupsAll Users
Cloud apps or actionsOffice 365 SharePoint Online
Conditions
Client AppsBrowser
Access controls
SessionUse app enforced restrictions

This conditional access policy when applicable gives SharePoint online, the signal that the limited access is applicable.

Per site settings

For a basic environment, having these global settings might be enough, but perhaps you want to more granularly control whether you want the limited access applied to a SharePoint or OneDrive site. This can be accomplished by using PowerShell (for now, more on that later) and described in the following section “Block or limit access to a specific SharePoint site or OneDrive” of the article: “Control access from unmanaged devices” in the SharePoint online documentation.

In order to use PowerShell you must have the SharePoint Online Management Shell installed, once installed, you can connect using

Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com which will log you in, into the Management Shell

From there you can determine the current status of a particular SharePoint site using the following command.

Get-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -Detailed | fl Conditional*

Machine generated alternative text:
Administrator: Windows PowerSheII 
PS C: Get-SPOSite 
-1 aentltv 
https // insight24. sharepaint . corn,' sites/ demo- klantl 
-L'etalleä 
I fl Conditio 
nditionaIAccessPoIicy : 
AllowFuIIAccess
Get current setting on SharePoint site

As you can see, this command has a strange outcome, since on a Global level we just defined Read Only Access. Turns out that if you specify the setting on site level, this will override the global policy.  So for example, you could set the option “Allow limited, web-only access” as described above in the Global policy, but define a setting to Block Access on the Site level.

You can set the policy on a site level by executing the following command: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy <value>

Machine generated alternative text:
Administrator: Windows PowerSheII 
PS C: Set-SPOSite 
BlockAccess 
PS C: Get-SPOSite 
-1 aencltb' 
-identity 
https // insight24 . sharepaint . corn/ sites/ demo- klantl 
https : // i nsight24. sharepoint . com/sites/demo- kl antl 
-L cnalclcnaleccessycl-_ 
-Detailed I fl Conditio 
ConditionalAccessPoIicy : 
310ckAccess
Set Conditional Access setting on site level

For the ConditionalAccessPolicy parameter the following values are available:

  • AllowFullAccess: The default setting
  • AllowLimitedAccess: The setting allowing limited access
  • BlockAccess: Blocks access

When using the AllowLimitedAccess option, you can supply additional parameters to further define the behavior, as detailed in “Advanced Configurations“, for example you can provide the option -LimitedAccessFileType OtherFiles after the -ConditionalAccess AllowLimitedAccess parameter to allow users to download files that can’t be previewed, such as .ZIP files.

If you have to specify this for a lot of SharePoint sites, you can of course automate these settings, but wouldn’t it be nice if we could enable this from the GUI while creating the SharePoint site, or while the SharePoint site is created as part of a Teams environment .

Sensitivity labels for Containers

Microsoft is currently rolling out new functionality which allows you to specify the behavior described above by making use of Sensitivity Labels and apply them to so called “containers” (announcement here: General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites). These containers are either Microsoft Teams, Microsoft 365 Groups and SharePoint sites. Once enabled, the Sensitivity label will receive the “Site and group setting” options as detailed in the picture below.

The idea is that when creating one of the containers, you must specify the Sensitivity as well. In the Sensitivity label you can define which setting related to the ConditionalAccessPolicy parameter on the container you want to assign. You also have the possibility to assign a sensitivity label to already existing Team or SharePoint sites.

Once this functionality is available in your tenant, you can use the sensitivity label to specify the access to the environment when App Enforced Restrictions are in use.

Machine generated alternative text:
Edit sensitivity label 
e Name & description 
e Encryption 
e Content marking 
Site and group settings 
O 
Auto-labeling for Office apps 
O 
Review your settings 
Site and group settings 
Select the settings you want to take effect when this label is applied to an Office 365 group or SharePoint site. Note that the settings aren't applied to 
files, so they don't impact downloaded copies of files. Learn more about site and group protection 
Site and group settings 
Privacy of Office 365 group-connected team sites 
Private - only members can access the site 
External users access 
Let Office 365 group owners add people outside the organization to the group 
Unmanaged devices 
O Allow full access from desktop apps, mobile apps, and the web 
@ Allow limited, web only access 
O Block 
access 
Back 
Next 
Cancel 
O Need help?
Controlling access via Sensitivity labels

See: Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites (public preview) and also read this very insightful article by Joanne C Klein titled: “Site Sensitivity and the documents within

Create the Conditional Access Policy

Now that we created the necessary settings in both the OWA mailbox policy and SharePoint, we can define a Conditional Access policy or modify the automatically created Conditional Access policies for our scenario.

NameI24 – Block access from apps on unmanaged devices to EXO and SPO
Assignments
Users and GroupsAll Users, except Break Glass accounts
Cloud apps or actionsOffice 365 SharePoint Online, Office 365 Exchange Online
ConditionsClient AppsModern Authentication Clients
Access controls
GrantRequire device to be marked as compliant OR Require Hybrid Azure AD joined device
Policy 1: Only allow access from Azure AD joined compliant or Hybrid devices which use Modern Authentication
NameI24 – Block access from apps on unmanaged devices to EXO and SPO
Assignments
Users and GroupsAll Users, except Break Glass accounts
Cloud apps or actionsOffice 365 SharePoint Online, Office 365 Exchange Online
Conditions
Client AppsBrowser
Access controls
SessionRequire device to be marked as compliant OR Require Hybrid Azure AD joined device
Policy 2: Use app enforced restrictions when accessing OWA and SPO via the web.

Policy behavior within Outlook Web Access

When the Conditional Access policy is applicable, the user accessing Outlook Web Access experiences the following behavior.

Policy behavior within SharePoint Online and OneDrive

When the Conditional Access policy is applicable, the user accessing SharePoint or OneDrive experiences the following behavior.

Conclusion

Conditional Access App Enforced Restrictions is another piece of the puzzle, allowing you to restrict access to your company data. The options described in this article provide a scenario which should be part of a much broader set of Conditional Access policies which you want to implement in order to protect your company data.

Having some more options to granularly define what can and cannot be done would be helpful, for example blocking the ability to upload files in the policies as well.

In the meantime Microsoft is adding more and more functionality to the sensitivity label functionality, and for which we can use some of that functionality in our Conditional Access scenario’s.

I hope this article provides you with a good idea of what’s possible with Conditional Access App Enforced Restrictions, and the contents of this article will be included in a next version of the Conditional Access Whitepaper. See: “May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet” for the latest available version.