In today's digital age, ensuring the security of your organization's data and applications is paramount. With the proliferation of remote work and the use of personal devices, limiting access to sensitive information from unmanaged devices has become a critical concern. In this blog post, we'll explore how to implement Conditional Access rules to restrict access to Exchange Online from Outlook on the web and SharePoint content from unmanaged devices. These measures help protect your organization's data and maintain control over who can access it.

Understanding Conditional Access Rules

Conditional Access rules act as a safeguard for your organization's data. They operate on a simple if-then principle: if a user wants to access something, they must fulfill certain conditions to gain access. These rules come into play once the first-factor authentication has been completed. They use signals to make access decisions and then enforce these decisions, either allowing or denying access.

The rule we'll focus on in this post uses Session access control - Use application enforced restrictions. Session controls are instrumental in restricting user experiences within cloud applications. These controls rely on Azure AD to convey device information to cloud applications. This information helps determine whether a user's device is compliant, non-compliant, or part of a domain. With this data, the cloud app can update the session experience accordingly.

It's important to note that Session controls are compatible with select cloud applications, specifically Office 365, SharePoint Online, and Exchange Online. Unmanaged or non-compliant devices offer a restricted experience, while managed and compliant devices provide a full experience.

Pre-Requisite Changes in SharePoint Online and Exchange Online

Before implementing the Conditional Access rule, there are some pre-requisite changes required in SharePoint Online and Exchange Online. Let's start by enabling limited access in SharePoint Online.

As a SharePoint Administrator or Global Administrator in Microsoft 365, you can restrict or limit access to SharePoint and OneDrive content from unmanaged devices that are not hybrid AD joined or Intune compliant. You can choose to restrict all users or only specific users or security groups, as well as all sites or selected sites.

For the Use application enforced restrictions session access control, it's essential to enable limited access in SharePoint Online. When you limit access in SharePoint Online, users on managed devices will have full access, while users on unmanaged devices will have browser-only access without the ability to download, print, or sync files. Additionally, they won't be able to access content through apps, including the Microsoft Office desktop apps.

Steps to Enable Limited Access in SharePoint Online:

1. Go to new SharePoint admin center, and sign in with an account that has admin permissions for your organization.

2. Select Access control > Unmanaged devices

3. Choose "Allow limited, web-only access," and then select "Save." (Note that selecting this option will disable any previous conditional access policies you created and create a new conditional access policy that applies to all users. Any customizations you made to previous policies will not be carried over.)

After clicking "Save," head back to the Conditional Access portal in the Azure Portal to disable the two new CA policies that are automatically created:

- [SharePoint admin center] Block access from apps on unmanaged devices – [DATE]

- [SharePoint admin center] Use app-enforced Restrictions for browser access – [DATE]

These policies are targeted at all users and should be switched off to avoid any unwanted impacts on your environment.

Limit Access to Exchange Online from Outlook on the Web

In addition to SharePoint, it's crucial to restrict the ability for users to download attachments from Outlook on the web when using unmanaged devices. Users on these devices can still view and edit files using Office Online without downloading and storing files locally. It's also possible to block users from seeing attachments on unmanaged devices.

1. Install the PowerShell module:

Install-Module -Name ExchangeOnlineManagement

2. Update to the latest version:

   Update-Module -Name ExchangeOnlineManagement

3. Connect to Exchange Online:

Connect-ExchangeOnline

4. First, get the OWA mailbox policy and check its name:

Get-OwaMailboxPolicy | Format-List -Property Identity

5. Create a new OWA mailbox policy. Two commonly used policies are "ReadOnly" and "ReadOnlyPlusAttachmentsBlocked." "ReadOnly" allows users to view attachments in the browser but not download them, while "ReadOnlyPlusAttachmentsBlocked" prevents users from viewing attachments in the browser:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

Create Conditional Access policy

Create a new Conditional Access policy in the Microsoft Entra admin center, specifying the group you want to assign it to. Configure the policy settings accordingly. Please see screenshots below:

Switch the Enable policy toggle to On.

Impact of Enabling the Policy

When the user access e.g. Microsoft Word document via office.com user will be notified via a yellow banner which reported that

In Outlook on the web, the user is unable to save or print an attachment. They receive the message

By following these steps and implementing Conditional Access rules, you can ensure that sensitive data stored in Exchange Online, SharePoint, and OneDrive remains protected, even in the face of unmanaged devices and potential security risks. Stay proactive in securing your organization's information, and take advantage of the powerful tools offered by Microsoft 365 to maintain control over your digital assets.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.