Share via

onedrive &sharepoint should not be accessible on domain join laptops

Srinivas Pasupuleti - CyberSecurity 40 Reputation points
2024-06-18T16:24:53.8933333+00:00

we have environment of on-premises domain joined devices and some azure ad registered devices.we are planning to block access of onedrive & sharepoint in non-domain joined devices. when I create CA policy it work for only Azure AD registered devices.How to achieve for both domain joined & Azure AD registered devices.

OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
922 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,082 questions
OneDrive Management
OneDrive Management
OneDrive: A Microsoft file hosting and synchronization service.Management: The act or process of organizing, handling, directing or controlling something.
1,175 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,218 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Haoyan Xue_MSFT 21,411 Reputation points Microsoft Vendor
    2024-06-19T06:31:53.0166667+00:00

    Hi @Srinivas Pasupuleti - CyberSecurity ,

    Thank you for posting in this community.

    As you said, you can control access to SharePoint and OneDrive content from unmanaged devices (requiring devices to be marked as compliant and requiring Microsoft Entra Hybrid Connected Devices). As far as i know and searched, for on-premise non-domain connected devices we do not have a way to lock down access to SharePoint and OneDrive at this time. Deeply regrettable.

    If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Raja Pothuraju 800 Reputation points Microsoft Vendor
    2024-06-24T19:10:56.3533333+00:00

    Hello @Srinivas Pasupuleti - CyberSecurity,

    Thank you for posting your query on Microsoft Q&A.Based on your description, I understand that you have on-premises domain-joined devices and some Azure AD Registered devices. Your goal is to block access to OneDrive and SharePoint on these devices via a conditional access policy. You created a block policy and excluded Microsoft Entra Registered devices, which works fine for Entra Registered devices but not for on-premises domain-joined devices.

    To make it work with domain-joined devices, you need to convert those devices to Microsoft Entra hybrid-joined devices by syncing them from on-premises to the cloud using Microsoft Entra Connect. Once the on-premises domain-joined devices become Microsoft Entra hybrid-joined devices, you can exclude them from your block conditional access policy and restrict access to OneDrive and SharePoint as per your requirements.

    Please follow the document below to convert on-premises domain-joined devices to Microsoft Entra hybrid-joined devices:

    https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join

    By using the filter for device conditions in the conditional access policy, you can exclude those devices from the policy. Please refer to the document below to learn more about the supported operators and device properties for filters:

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

    0 comments