Ip restriction with Sensitivity Label on sharepoint library not working

thomas masquelier 0 Reputation points
2023-12-29T14:23:32.18+00:00

Hello Microsoft,

We are facing an issue on our tenant; I'll try to explain clearly.

What we setup

  • Authentication context
  • Conditional access : deny access if outside of office network, linked to the authentication context
  • Sensivity label linked to that authentication context named "IP Lock"

Practical use case :

We create a new sharepoint with the sensitivity label "IP Lock"; Working great if you are trying to access the Sharepoint from the office IP, you won't be able to access the Sharepoint.
However if you are accessing the Sharepoint from the office, you'll have access.

The blocking part

Now, to make it simple, let's create a Sharepoint with sensivity label set to "none" (but we could set it to anything really).
Now we go to site content and "New" => "site library" that we will call "Restricted" and setting the "IP Lock" sensitivity label to the library itself.
We would expect the need to be at the office to acces the library however it's not the case. We can access it from anywhere.

This issue also happens when setting a conditionnal access blocking access if the device is not compliant.


We believe we did some test in the past and this was working properly; however not it seems like nothing is applied correctly anymore when it comes to sensivity labels on libraries ... But now we start doubting this actually did ever worked

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,173 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Emily Du-MSFT 49,846 Reputation points Microsoft Vendor
    2024-01-01T08:53:56.8766667+00:00

    Please check follow tips to troubleshoot the issue.

    1.Make sure that you have configured the authentication context in the “external sharing and device access” configuration of the sensitivity label.

    2.Make sure that you have chosen authentication context in the Target resources of conditional access policy.

    User's image

    3.Make sure that you have chosen Any location and all trusted locations excluded in the Conditions of conditional access policy.

    User's image

    4.Mare sure that you have chosen Require device to be marked as compliant in the Access controls - Grant of conditional access policy.

    User's image


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.