Control access from unmanaged devices

Last updated: October 2017

As a SharePoint or global admin in Office 365, you can block or limit access to SharePoint and OneDrive content from unmanaged devices (those not joined to a domain or compliant in Intune). You can block or limit access for:

  • All users in the organization or only some users or security groups.

  • All sites in the organization or only some site collections.

Blocking access helps provide security but comes at the cost of usability and productivity. Limiting access allows users to remain productive while addressing the risk of accidental data loss on unmanaged devices. When you limit access, users on managed devices will have full access (unless they use one of the browser and operating system combinations listed below). Users on unmanaged devices will have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. When you limit access, you can choose to allow or block editing files in the browser.

Notes: 

  • Blocking or limiting access on unmanaged devices relies on Azure AD conditional access policies. To learn more about them and the subscriptions they require, see Conditional access in Azure Active Directory.

  • If you limit access on unmanaged devices, users on managed devices who have the following browser and operating system combinations will also have limited access:

    Chrome, Firefox, or any other browser besides Microsoft Edge and Microsoft Internet Explorer on Windows 10 or Windows Server 2016

    Firefox in Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2

Block access to SharePoint and OneDrive content using the SharePoint admin center

  1. Sign in to Office 365 as a global admin or SharePoint admin.

  2. Select the app launcher icon The icon that looks like a waffle and represents a button click that will reveal multiple application tiles for selection. in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)

  3. In the left pane, choose Admin centers > SharePoint.

  4. In the SharePoint admin center, click access control.

  5. Select Block Access.

  6. Click OK.

    The block access setting on the access control page

    Note: It can take 5-10 minutes for the policy to take effect. It won't take effect for users who are already signed in from unmanaged devices.

If you go to the Azure AD admin center and click Conditional access, you can see that a policy was created by the SharePoint admin center.

Creating a policy in the Azure AD admin center to block access

Limit access to SharePoint and OneDrive content using the SharePoint admin center

  1. Sign in to Office 365 as a global admin or SharePoint admin.

  2. Select the app launcher icon The icon that looks like a waffle and represents a button click that will reveal multiple application tiles for selection. in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)

  3. In the left pane, choose Admin centers > SharePoint.

  4. In the SharePoint admin center, click access control.

  5. Select Allow limited, web-only access.

  6. Click OK.

    The limited access setting on the access control page

    Notes: 

    • It can take 5-10 minutes for the policies to take effect. They won't take effect for users who are already signed in from unmanaged devices.

    • By default, the policy allows users to edit files in the browser, copy and paste file contents out of the browser window, and download files that can't be previewed in the browser (like .zip and .exe). To block this, use the PowerShell cdmlet.

If you go to the Azure AD admin center and click Conditional access, you can see that two policies were created by the SharePoint admin center. By default, the policy applies to all users. To apply it to only specific security groups, make changes under Users and groups. Be careful not to create multiple conditional access polices in the Azure AD admin center that conflict with each other. You can disable the policies created by the SharePoint admin center and then manually create the conditional access policies you need.

Creating two policies in the Azure AD admin center to limit access

Limit access to SharePoint and OneDrive content using PowerShell

  1. In the SharePoint Online Management Shell, connect to the SharePoint admin center with your admin account by running Connect-SPOService. For info about running this cmdlet, see Connect-SPOService.

  2. Run Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess.

Notes: 

  • By default, the policy allows users to edit files in the browser and copy file contents out of the browser window. To block this, specify -AllowEditing $false.

  • Some file types like .zip and .exe can't be previewed in a browser. By default, the policy allows users to download these files. To block downloading of these types of files, specify -AllowDownloadingNonWebViewableFile $false.

  • For more info about managing SharePoint Online using PowerShell, see Introduction to the SharePoint Online Management Shell.

Limit access to specific SharePoint site collections or OneDrive accounts

To limit access to specific sites, you must set the tenant-level policy to "Allow full access from desktop apps, mobile apps, and the web." Then follow these steps to manually create a policy in the Azure AD admin center and run PowerShell cmdlets.

  1. In the Azure AD admin center, select Conditional access, and then click Add.

  2. Under Users and groups, select whether you want the policy to apply to all users or only specific security groups.

  3. Under Cloud apps, select Office 365 SharePoint Online.

  4. Under Conditions, select both Mobile apps and desktop clients and Browser.

  5. Under Session, select Use app enforced restrictions. This tells Azure to use the settings you'll specify in SharePoint.

  6. Enable the policy and save it.

    Creating a policy in the Azure AD admin center to use app-enforced restrictions
  7. In the SharePoint Online Management Shell, connect to the SharePoint admin center with your admin account by running Connect-SPOService. For info about running this cmdlet, see Connect-SPOService.

  8. Run Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site collection or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess.

Notes: 

  • The site collection-level setting must be at least as restrictive as the tenant-level setting.

  • By default, the policy allows users to edit files in the browser. To block this, specify -AllowEditing $false.

  • Some file types like .zip and .exe can't be previewed in a browser. By default, the policy allows users to download these files. To block downloading of these types of files, specify -AllowDownloadingNonWebViewableFile $false.

For more info about managing SharePoint Online using PowerShell, see Introduction to the SharePoint Online Management Shell.

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×