Control access from unmanaged devices

Last updated: April 2017

As an IT admin, you can block or limit access to SharePoint and OneDrive content from unmanaged devices (those not joined to a domain or compliant in Intune). To do this, you need subscriptions to Azure Active Directory Premium and Intune. To block access, you'll set one policy in the Microsoft Azure portal. To limit access, you'll set two policies and select a setting in the SharePoint admin center. When you limit access, users will be able to view but not edit Office files in Office Online. The Download, Print, Sync, Open in desktop app, Embed, Move to, and Copy to buttons won't appear in the new SharePoint and OneDrive experiences.


  • To use this feature, you need to enable first release for everyone in your organization. To learn how to do this, see Set up the Standard or First Release options in Office 365. It takes 24 hours for the switch to take effect. This feature is not available for customers with dedicated environments.

  • To secure highly confidential data, we recommend using Azure Rights Management (Azure RMS).

  • The access restrictions you set will also apply to users on managed devices if they use the following browser and operating system combinations:

    Chrome, Firefox, or any other browser other than Microsoft Edge or Microsoft Internet Explorer in Windows 10 or Windows Server 2016

    Firefox in Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2

Block or limit access to SharePoint and OneDrive content

  1. Create the first policy by going to the Microsoft Azure portal, selecting Conditional access, and then clicking Add.

  2. Under Users and groups, select whether you want the policy to apply to all users or only specific security groups.

  3. Under Cloud apps, select Office 365 SharePoint Online.

  4. Under Conditions, select Mobile apps and desktop clients. To block all access, also select Browser and stop after step 6 below.

  5. Under Controls, select Allow access, and then select Require compliant device or Require domain joined device.

    Creating a new policy in Azure to block access on unmanaged devices

  6. Enable the first policy.

  7. Create the second policy by again selecting Conditional access, and clicking Add.

  8. Under Users and groups, select whether you want the policy to apply to all users or only specific security groups.

  9. Under Cloud apps, select Office 365 SharePoint Online.

  10. Under Conditions, select Browser.

  11. Under Session, select Use app enforced restrictions.

    Add a policy in Azure that specifies using SharePoint app restrictions for browser access

  12. Enable the second policy.

  13. In the SharePoint admin center, click device access.

  14. Under Control access from devices that aren't compliant or joined to a domain, select Allow limited access, and then select to allow or block downloading of files that can't be viewed on the web. "Allow downloading" is selected by default for files that can't be viewed in Office Online. If you select to block downloading, users won't be able to upload or share files, or view PDF files. Selecting to block downloading may break customizations and third-party apps.

    It can take up to 15 minutes for your changes to take effect. Your changes will apply to newly created sessions, but not existing authenticated sessions.

    Device access tab of the SharePoint admin center


    • When you allow limited access, we automatically change the setting to block access from apps that don't use modern authentication (third-party apps and Office 2010 and earlier).

    • The Allow limited access setting applies only when users access content on the web through SharePoint, OneDrive, and Office Online. It doesn’t apply when users access content from other Office 365 services such as Outlook Web App.

    • To block syncing on unmanaged devices, see Azure Active Directory conditional access with the OneDrive sync client on Windows

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.