LimitedAccess web-only sensitivity label - guest can still use full Teams client

Question

Some of our Teams/365/Sharepoint sites have a sensitivity label that only allows for limited web-only access, but external guests in those Teams can still use the desktop client. The app protection seems to be working because they get the yellow banner saying no print, download or whatever.

Here's our setup:

label on team/group/sharepoint site User's image

org-level sharepoint unmanaged devices:
User's image

app enforcement CA policy
User's image

no unmanaged device CA policy because we've allowed full access at top level. my understanding it that the site level can have a higher level of restriction, which is what our sensitivity label is setting the site level at. If you do a get-sposite on the sharepoint site with the web-only label you get this output
User's image

which seems correct. "AllowLimitedAccess"

what am I missing? Have I got something the wrong way round? Should the org level be "allow limited, web-only access" and the sensitivity label be less restrictive for site we do want guest users on unmanaged devices to use the full client on?

E3 licensed.

Answer

Hi,

I think you might need to set the option "allow limited, web only access" for unmanaged devices.

Guest users typically use unmanaged devices. To prevent them from accessing the site from the desktop the setting must be enabled. To enable it for just a subset of users and not for all users follow the link on the page or this link

However, regardless if they use the browser or the desktop they cannot download and save files. They can edit them in the app but are not allowed tot save it locally

Kind regards,

Jack

Share via

LimitedAccess web-only sensitivity label - guest can still use full Teams client

1 answer