Azure Conditional Access – Control SharePoint/OneDrive Downloads

authenticationazure-active-directoryconditionalsharepoint

I'm trying to use Azure Conditional Access to control downloading from SharePoint/OneDrive, but i'm completely new to this.

I wish to be able to use OneDrive (the business app) AND to download/sync files from OneDrive online / Sharepoint via a webbrowser on all the PC's owned by my organisation (our Domain is AZURE only, rather than an Azure Hybrid domain).

BUT ONLY view files on OneDrive online / Sharepoint via a webbrowser – i.e. NOT download nor sync with the OneDrive app on any other PCs (e.g. Home PCs).

So i've tried to make a policy which will ALLOW:

  • access to Office 365 SharePoint Online
  • at all trusted locations
  • for PCs which are BOTH Complient AND pass Multi-Factor Access

And a second policy which will ALLOW:

  • access to Office 365 SharePoint Online
  • excluding trusted locations (i.e. everywhere else)
  • Browser only for client apps (i.e. Not OneDrive App)
  • pass Multi-Factor Access
  • Using app enforced restrictions (i.e. hide the Sync button online)

However as much as i try different veriations on these settings, I cannot get the sync button on OneDrive Online to display on a Work PC and be restricted on a foreign PC.

Can anyone point me at an idiots guide to doing this?

Thanks in advance
phil

Best Answer

To achieve this you only need a single ALLOW rule in Conditional Access.

  • App: Office 365 SharePoint Online
  • Users: All Users
  • Devices: All + exclude Compliant
  • Enforce client app restrictions
  • ALLOW and Require MFA

The way services work in Office 365 is that everything is allowed by default. So your CA rules only need to cover exceptions. You don't need to specifically allow something. In this case, file sync and download will be allowed on compliant devices, since this rule will not be applied to them. Also, please note that even though you only specify SharePoint as a target app, the rule will apply to both SharePoint Online and OneDrive for Business.

Of course, you might need to make sure the device is detected as compliant. This might require some configuration on Intune side to make this work. Also, device authentication only works in IE and Edge out of the box. If you want it to work in Chrome, you need to install Windows 10 Account extension to your users. Otherwise, the computer will not be detected as compliant when you access SharePoint/OneDrive via Chrome. The extention can be installed to all your users centrally using Intune.

Related Topic