Conditionall Access : SharePoint Online Web Client Extensibility

Question

Conditionall Access : SharePoint Online Web Client Extensibility

CreatiXx 6

Hi,

I'm having trouble figuring out what to do and would love for any kind of input that could help me look in the right direction.

Main goal : limiting access to one sharepoint site from unmanaged devices but require compliance on anything else.

What i have done so far :

Found the following article : https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
- Made a CA policy that requires compliance devices but excludes sharepoint online (as shown in said article)
- Changed settings in sharepoint admin center that allows web-only access from unmanaged devices
- made a sharepoint CA policy through powershell that limits sharepoint access only that a single site

Result : block on SharePoint Online Web Client Extensibility and i cannot get past it and i'm all out of ideas. I've got the feeling i'm missing something stupid but i need some help from some experts :D

Anyone here that can help me out please?

Thanks in advance everyone!

AllenXu-MSFT 24,951 Reputation points Moderator

2024-08-21T02:16:47.8+00:00

Hi @CreatiXx,

I'm currently investigating this issue and will get back to you as soon as possible.

1 answer

Your answer

AllenXu-MSFT 24,951 Reputation points Moderator

2024-08-21T02:16:47.8+00:00

Hi @CreatiXx,

I'm currently investigating this issue and will get back to you as soon as possible.

Answer 1

AllenXu-MSFT 24,951 Moderator

Hi @CreatiXx,

Please try applying CA policy to that APP "SharePoint Online Client Extensibility" manually to see if the issue still persists. Go to Microsoft Entra admin center > Protection > Conditional Access > Policies. Select your CA and in edit page, select Targeted resources. Click "Select", check "SharePoint Online Client Extensibility Web Application Principle" and "SharePoint Online Client Extensibility Web Application Principle Helper". Save and enable the CA policy.

User's image

Let us know if it resolves this issue.

Thanks.

If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

CreatiXx 6 Reputation points

2024-08-22T06:51:00.1166667+00:00

Hi so i did what you asked,

Made a new CA policy, targeted both apps and set it up as a block. I was able to login without any issues. I looked at the logs and it said the app didnt match.

The only workaround i have found is to exclude "browser" as a target client app within the policies requiring compliance. While not favorable, i can see some issues with it in the long run.
AllenXu-MSFT 24,951 Reputation points Moderator

2024-08-22T09:51:43.9266667+00:00

@CreatiXx，

Glad to hear that this issue has been resolved and thanks for your sharing and contribution to our community.

It would be appreciated if you can "Accept Answer" so that others who stuck in similar issues could get answered quickly. Please feel free to talk with us if you have other questions.

Thanks!
CreatiXx 6 Reputation points

2024-08-22T11:01:49.8533333+00:00

No unfortunately not, i still cannot find what i need to exclude so my policies requiring compliance can work flawlessly with what i intend to do.

If i exclude those above mentioned apps the issue remains and does not work.
CreatiXx 6 Reputation points

2024-08-22T12:49:32.02+00:00
@AllenXu-MSFT

Unfortunately the problem remains.

If i make a CA policy in which i target Office 365 apps but exclude sharepoint online and require compliance. I stil get blocked on an unmanaged device.

If i make a CA policy and exclude both sharepoint online and the 2 apps you mentioned, i still get blocked.

If i make a CA policy, with the same targer resources but targeting client apps under "Conditions" with the following setup :

Enable

Mobile Apps and desktop clients

Exchange ActiveSync clients

Other clients

then this works because i'm not blocking browser login. BUT that means that i'm not blocking browser login for ALL of the Office 365 resources which is not something you'd want. I can do "Session control -> Use app enforced restrictions" but to be honest, i dont know exactly what this does.
CreatiXx 6 Reputation points

2024-08-22T13:58:07.03+00:00
@AllenXu-MSFT My apologies for the spam but i have done the following setup of testing policies

Require Compliance but exclude Sharepoint

Target Resources

Include : Office 365

Exclude :

Office 365 Sharepoint Online

SharePoint Online Client Extensibility Web Application Principle

SharePoint Online Client Extensibility Web Application Principle Helper

Conditions

Client Apps - Enable :

Mobile apps and desktop clients

Exchange ActiveSync clients

Other Clients

Grant

Require compliant device

Block Office 365 browser but exclude Sharepoint

Target Resources

Include : Office 365

Exclude :

Office 365 Sharepoint Online

SharePoint Online Client Extensibility Web Application Principle

SharePoint Online Client Extensibility Web Application Principle Helper

Conditions

Client Apps - Enable :

Browser

Grant

Block Access

Allow browser Office 365 Sharepoint Online - App Enforced

Target Resources

Include : Office 365 Sharepoint Online

Conditions

Client Apps - Enable :

Browser

Session

Use App enforced restrictions

If i use this combination of CA policies it is policy 2 that hits cause it keeps matching on the application. The exclude is not sufficient meaning i cannot bypass it meaning it keeps blocking & requiring compliance no matter what i do and this is what i need help with.
AllenXu-MSFT 24,951 Reputation points Moderator

2024-08-26T02:36:49.7933333+00:00

@CreatiXx,

As per my test I couldn't reproduce this issue in my end sorry. It will be hard to go on further troubleshooting. In order not to affect your business, I suggest you raise a service request in M365 admin center. MS support can have a remote session with you and help you check from the backend.

Share via

Conditionall Access : SharePoint Online Web Client Extensibility

1 answer

Your answer