How to enforce granular Conditional Access policies per SharePoint site
Sanjoyan Mustafi
Principal Product Manager | Data Security | SaaS, Enterprise, & Cloud Products | New Product Launch & Testing | User Requirements | Technological Innovation
Background
Conditional Access policies have been supported in SharePoint, OneDrive, and Teams for many years now. With labels-based policies approach, we provided simple and powerful access control solutions that secure your content holistically at SharePoint Sites or Teams or Microsoft 365 Groups level.
We are continuing this journey and taking a major leap step with preview of granular conditional access policies support in SharePoint and OneDrive.
Now in preview, this feature lets you enforce more stringent access conditions when users access SharePoint sites that have Sensitivity label applied. These more stringent access conditions are enforced when you select a new feature called authentication context that has been created and published for your organization's Conditional Access deployment. These authentication contexts are connected to Conditional Access policies on one hand and on the other hand to resources, as an example a SharePoint site.
As an example, you can configure the authentication context such that a user needs to go through multi-factor authentication (MFA) to prove his identity. Now once this authentication context is connected to a sensitive site via a label then users will be prompted for MFA whenever they access that specific site.
Another useful scenario is Terms of Use (TOU). An authentication context can be associated with a terms of use policy in AAD. Again, once this authentication context is connected to a sensitive site via a label then users will be forced to accept the TOU before they gets access to the site.
Schematic view of Authentication Context usage
Configuring Authentication Context with CA policy
Management of authentication contexts is performed from a new blade called authentication context that is being introduced under the Manage section of Conditional Access in the Azure AD Portal https://aka.ms/authcontextblade
Two actions are required to use authentication contexts.
- Configure an authentication context. Provide a meaningful name, description and click the checkbox “Publish to apps”.
Note: You can create up to 25 authentication contexts.
Assign an Authentication context on a Conditional Access policy
Open “new” Conditional Access policy blade ->under “Cloud apps or actions” -> click the dropdown “what this policy applies to” -> choose the value “Authentication context (preview)”.
Now you will notice all the authentication context that you created and published in Step-1 is visible here. You can now select the right authentication context that you want to attach for this policy.
Note: A given authentication context can be assigned to 1 or more Conditional Access policies. Also, a given Conditional Access policy can be attached to more than one Authentication context.
Attach Authentication Context with Sensitivity label
Once you have created one or more authentication context and attached with Conditional Access policies, the next step would be to attach it to a “sensitivity label”. This will help in easily attaching the authentication context and the corresponding Conditional Access policy to any SharePoint site. Read more on Sensitivity label and SharePoint here.
Screenshot below depicts how to tag the authentication context with a sensitivity label in Microsoft 365 compliance center.
The feature is rolling out gradually WW. You may be able to create the label with Authentication Context but when you apply the label the policy may seem to be not enforced. In such a case follow the workaround below.
If you do not use sensitivity labels that get applied to SharePoint sites, then you can directly apply the above authentication context to a given SharePoint Online site via PowerShell as described below. Download and install the latest SharePoint Online Management Shell and run the below command for your chosen site.
Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName "Name of Authentication Context"
Licensing
- Creation of authentication context in Azure AD needs minimum Azure AD Premium P1 license
- Attaching authentication context to a Sensitivity label or directly to a SharePoint site via PowerShell needs any of the below licenses
- M365 E5
- M365 E5 Compliance
- IPG Bundle
Supported Apps and known limitations
During this preview we support a limited set of apps with specific version numbers and above. Browser based apps like Office Online, Outlook web and SharePoint Online is fully supported. Also, during this preview we have some known limitations. Please be aware before enabling this feature in the production environment. Read here for a full list of dependencies and supported apps.
Principal Technical Specialist - Cloud Endpoint
3 年Excellent! This is a capability that has been frequently asked for - and now, it's live!