Only Allow access for One User or AAD Group to One SharePoint Online site and no other sites

IT Matt R 11 Reputation points
2023-07-11T13:27:21.2566667+00:00

Thanks for reviewing my question. I will start with the solution first because I don’t think I’m the first to try something like this. I have a contractor who needs access to only one SPO (SharePoint Online) site and gets access denied on all other SPO sites.  They will have an Azure AD account with MFA and allowed an unmanaged device. This will also make them a member of the “Everyone except external users” group in SPO. Is it possible to setup an Azure Conditional Access Policy to allow access to one SPO site. Could I potentially use a mixture of Conditional Access Policy and MS Purview sensitivity labels to prevent them from accessing any other SharePoint site that allows the “Everyone except external users” group access?

Parameters:

  • User will have a AAD user account with MFA
  • Unamanaged device is allowed in SPO
  • By default the user will be a member of the SPO group "Everyone except external users" which provides access to all our default or public information SPO sites like our default Intranet site.

Thanks in advance for any and all help.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,167 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ling Zhou_MSFT 11,700 Reputation points Microsoft Vendor
    2023-07-12T09:19:36.7566667+00:00

    Hi @IT Matt R,

    Thank you for posting in this community.

    Yes, you can use a mixture of Conditional Access Policy and MS Purview sensitivity labels to prevent them contractor accessing any other SharePoint site. Just use the label created by MS Purview when setting up the authentication context.

    Screenshot of Azure AD authentication context sensitivity label settings

    You can follow this article to plan your conditional access policy:

    Plan a Conditional Access deployment.

    You can follow this article to set a sensitivity label to apply the authentication context to labeled sites:

    Conditional access policy for SharePoint sites and OneDrive


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Ling Zhou_MSFT 11,700 Reputation points Microsoft Vendor
    2023-07-14T06:47:07.5566667+00:00

    Hi @IT Matt R

    Please accept my sincere apologies for the late reply.

    I feel regretful that I can't reproduce your requirements in my test environment. But I found a more detailed step-by-step guide for your reference.

    First, you can configure the MFA. Here are the detailed steps:

    Configure multi-factor authentication for access

    Second, you can follow these steps to configure access policy to a SharePoint Site and the unmanaged device:

    https://blog.admindroid.com/6-conditional-access-policies-to-increase-your-sharepoint-security/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link. 

    Thank you for your tolerance and understanding!


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.