Conditional access policy for SharePoint sites and OneDrive
Some features in this article require Microsoft Syntex - SharePoint Advanced Management
With Microsoft Entra authentication context, you can enforce more stringent access conditions when users access SharePoint sites.
You can use authentication contexts to connect an Microsoft Entra Conditional Access policy to a SharePoint site. Policies can be applied directly to the site or via a sensitivity label.
Note that this capability can't be applied to the root site in SharePoint (for example, https://contoso.sharepoint.com).
Using authentication context with SharePoint sites requires one of the following licenses:
- Microsoft Syntex - SharePoint Advanced Management
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5 Compliance
- Microsoft 365 E5 Information Protection and Governance
- Office 365 E5/A5/G5
Some apps don't work with authentication contexts. We recommend testing apps on a site with authentication context enabled before broadly deploying this feature.
The following apps and scenarios don't work with authentication contexts:
- Older version of Office apps (see the list of supported versions)
- Viva Engage
- Teams web app
- OneNote app can't be added to channel if the associated SharePoint site has an authentication context.
- Teams private channel won't provision a SharePoint site if the main team site has an authentication context.
- Teams channel meeting recording upload fails on sites with an authentication context.
- SharePoint folder renaming in Teams fails if the site has an authentication context.
- Teams webinar scheduling fails if OneDrive has an authentication context.
- Workflows that use Power Apps or Power Automate fails to work for sites with an authentication context.
- Third-party apps
- The OneDrive sync app won't sync sites with an authentication context.
- Copy or move files from a site with no authentication context to a site with an authentication context fails.
- Due to the authentication process when an authentication context is present, Quick Access will not work and you will need to use the Go to site link.
- Associating an authentication context to the enterprise application catalog site collection is not supported.
- The “Visualize SharePoint List in Power BI” feature does not currently support authentication context.
- Outlook on Windows, Mac, Android and iOS do not support communication with SharePoint sites protected by an Authentication Context.
Setting up an authentication context
Setting up an authentication context for labeled sites requires these basic steps:
Add an authentication context in Microsoft Entra ID.
Create a conditional access policy that applies to that authentication context and has the conditions and access controls that you want to use.
Do one of the following:
- Set a sensitivity label to apply the authentication context to labeled sites.
- Apply the authentication context directly to a site
Add an authentication context
First, add an authentication context in Microsoft Entra ID.
To add an authentication context:
In Microsoft Entra Conditional Access, under Manage, click Authentication context.
Click New authentication context.
Type a name and description and select the Publish to apps check box.
Create a conditional access policy
To create a conditional access policy:
In Microsoft Entra Conditional Access, click New policy.
Type a name for the policy.
On the Users and groups tab, choose the Select users and groups option, and then select the Guest or external users check box.
Choose B2B collaboration guest users from the dropdown.
On the Cloud apps or actions tab, under Select what this policy applies to, choose Authentication context, and select the check box for the authentication context that you created.
Choose if you want to enable the policy, and then click Create.
Apply the authentication context directly to a site
You can directly apply an authentication context to a SharePoint site by using the Set-SPOSite PowerShell cmdlet.
This capability requires a Microsoft 365 E5 or Microsoft Syntex - SharePoint Advanced Management license.
In the following example, we apply the authentication context we created above to a site called "research."
Set a sensitivity label to apply the authentication context to labeled sites
If you want to use a sensitivity label to apply the authentication context, update a sensitivity label (or create a new one) to use the authentication context.
Sensitivity labels require Microsoft 365 E5 or Microsoft 365 E3 plus the Advanced Compliance license.
To update a sensitivity label
In the Microsoft Purview compliance portal, on the Information protection tab, click the label that you want to update and then click Edit label.
Click Next until you are on the Define protection settings for groups and sites page.
Ensure that the External sharing and Conditional Access settings check box is selected, and then click Next.
On the Define external sharing and device access settings page, select the Use Microsoft Entra Conditional Access to protect labeled SharePoint sites check box.
Select the Choose an existing authentication context option.
In the dropdown list, choose the authentication context that you want to use.
Click Next until you are on the Review your settings and finish page, and then click Save label.
Blocking background apps (rolling out in preview)
If authentication context is set on a site, admins can choose to prevent background apps from accessing that site for the apps assigned with that authentication context in a conditional access policy. You can configure a conditional access policy such that a specific authentication context can be assigned to chosen application principles (non-Microsoft applications). You'll need to explicitly turn this feature on via the following cmdlet. Note that you should have at least one conditional access policy with an application principle configured.
Set-SPOTenant -BlockAPPAccessToSitesWithAuthentcationContext $false/$true (default false)