SharePoint sites with IP restrictions set with an authentication context can be accessed from outside of the restrictions from Teams

nobuhiro shintaku 0 Reputation points
2023-04-06T06:11:31.04+00:00

Sorry, I usually speak Japanese, not English, and this text is using automatic translation. Please forgive me if some words or grammar may be unfamiliar or incorrect. We currently have an authentication context named "IP Restrictions" for a particular SharePoint site. For this authentication context, I have configured Azure AD's conditional access policy to block access to all but specific IP addresses. When I access the SharePoint site directly with a browser, the allow/deny changes as soon as I change the IP address. However, when accessing the site via Teams, both the Teams Web and Desktop App versions are experiencing the following issues.

  • Add the SharePoint document library as a tab to your team in Teams.
  • Then, access the tabbed SharePoint document library from a prohibited IP address. The access will be denied as expected.
  • Then access the tabbed SharePoint document library from an unrestricted IP address. At this time, you can access it normally as expected.
  • If you access the tabbed SharePoint document library again from a prohibited IP address on a terminal that has completed the above operation, you will be able to continue to use it indefinitely until you sign out in Teams.

When I look at the Azure AD sign-in log, it appears that "Continuous Access Evaluation" is enabled, but the authentication context has been ignored. Why is this? And is there a workaround? Thank you.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,198 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,791 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 16,701 Reputation points MVP
    2023-04-06T12:43:00.3833333+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    I understand that your Conditional access policy applies when you try to access a SharePoint site but not when accessing it via Teams. answering your questions: Why is this? Because, when you log in via Teams, conditional access evaluates the login in Teams. Among all tools that Teams have, one is to create, manage and use SharePoint sites. And is there a workaround? The best choice is to use a SharePoint site not related to Teams. To allow you to apply the conditional access policies. Hope this helps!


    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.