Block SPO site access unmanaged devices

jsdwr 0 Reputation points
2024-06-11T21:41:21.0066667+00:00

I am unable to block un-managed devices from accessing certain sites. Per https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive I have created a CA Policy 'App-Enforced Restrictions:

  • Applied: All Users
  • Target: Office 365 SharePoint Online
  • Conditions: Windows-only devices & Client Apps: All
  • Access Controls: Grant = 0 selected & Session = app enforced restrictions
  • This policy is set report-only

I have not set access control globally in SPO Admin, I have used PowerShell to set a test site:

 Set-SPOSite -Identity <URL> -ConditionalAccessPolicy BlockAccess

and I have confirmed with:

 Get-SPOSite <URL> | Select conditionalaccesspolicy

When I browse to the test site from an un-managed device it opens without problem, and sign-in logs show the policy is evaluated as success.

FYI, I have also created a test policy applied to a specific user that only grants SPO access from a compliant device, and that works as expected.

Can someone see what I'm missing here?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,236 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ling Zhou_MSFT 15,320 Reputation points Microsoft Vendor
    2024-06-12T02:42:08.1866667+00:00

    Hi @jsdwr,

    Thank you for posting in this community.

    First of all, the conditional access policies you set may take effect after 24 hours. You can confirm that the time of your test is 24 hours after the setup is complete.

    Second, according to the document you shared, the conditional access policies only take effect when you use unmanaged devices for people who are not in your organization. Confirm that your testers are not part of the organization at the time.

    User's image

    Finally, if your policy of access from unmanaged devices wants to apply to all users, I recommend that you implement sensitive labels and Microsoft Entra Conditional Access: Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Ling Zhou_MSFT 15,320 Reputation points Microsoft Vendor
    2024-06-14T05:55:01.4333333+00:00

    Hi @jsdwr,

    Thank you for your reply.

    My colleague and I have carefully read and tested the article you provided, and we both agree that it is okay to restrict access to a site by following the configuration steps in the article. We're sorry we couldn't find a reason why the policy isn't working at this time.First, you can try to select “Require device to be marked as compliant” in Grant when creating a policy, and then test it 24 hours later.

    User's image

    Second, if PowerShell doesn't work, you can try using sensitivity labels.

    Finally, if none of the above works, I suggest you open a ticket and ask.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.