Restrict “Open in Desktop App” for Unmanaged Devices (SharePoint & OneDrive)

Question

Hello everyone,

I’m implementing a company policy that restricts users on unmanaged devices to only open documents (Word, Excel, PowerPoint) via Office for the Web when accessing data on SharePoint Online and OneDrive for Business.

The goal is to prevent users from using the “Open in Desktop App” option, as this allows them to "Save As" content to local storage — which violates our data protection policy.

We are currently licensed with:

• Microsoft 365 E5 (full)

Microsoft 365 E3 + Microsoft 365 E5 Information Protection & Governance add-on

I’ve already tried combinations of:

Conditional Access policies (targeting unmanaged devices)

Microsoft Defender for Cloud Apps session controls

However, users on personal devices are still able to open files with Office desktop apps.

Has anyone successfully enforced web-only access in a similar scenario? Any insights, workarounds, or best practices would be greatly appreciated.

Thanks in advance!Hello everyone,

I’m implementing a company policy that restricts users on unmanaged devices to only open documents (Word, Excel, PowerPoint) via Office for the Web when accessing data on SharePoint Online and OneDrive for Business.

The goal is to prevent users from using the “Open in Desktop App” option, as this allows them to "Save As" content to local storage — which violates our data protection policy.

We are currently licensed with:

Microsoft 365 E5 (full)

Microsoft 365 E3 + Microsoft 365 E5 Information Protection & Governance add-on

I’ve already tried combinations of:

Conditional Access policies (targeting unmanaged devices)

Microsoft Defender for Cloud Apps session controls

However, users on personal devices are still able to open files with Office desktop apps.

Has anyone successfully enforced web-only access in a similar scenario?
Any insights, workarounds, or best practices would be greatly appreciated.

Thanks in advance!