Users can access Website resources like Exchange Online (Outlook on the Web) (default) or SharePoint Online, or limit or block access to those resources based on their connected device state. Blocking access to unmanaged devices may bring productivity costs, however, limited access may allow users to remain productive on these devices and may also reduce data loss risks.
End users can remain productive while minimizing accidental data loss by limiting access on unmanaged devices. Using limited access, users with unmanaged devices will only be able to access files through a browser and will not be able to save, print, and sync files. Modern authentication is required for this. Authentication with legacy systems can be blocked for this reason.
The web applications can be configured to behave differently if the user is applicable for a Conditional Access policy where App Enforced restrictions are configured.
License / Setup Requirements
Azure AD Premium P1 license for CA Policy
Prerequisites for enabling the limited access experience with SharePoint and Exchange Online (global admin permissions required)
Creating a limited access environment for Exchange Online
Use Exchange Online PowerShell to enable Conditional Access (CA) for all users by using the default OwaMailboxPolicy
Since Conditional Access App Enforced Restrictions are by default disabled in OWA mailbox policies, you must first activate the feature using the Set-OwaMailboxPolicy cmdlet in the Exchange Online PowerShell module.
First identify the OwaMailboxPolicy using command,
Get-OwaMailboxPolicy | ft Name
Change the default OWA policy using below command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly
Valid values for the -ConditionalAccessPolicy parameter are:
Off: No conditional access policy is applied to Outlook on the web. This is the default value.
ReadOnly: Users can’t download attachments to their local computer and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser
Validate the OWA configuration using below command:
Get-OwaMailboxPolicy | Select-Object ConditionalAccess* | fl
Note: Limited access is only available for Exchange Online accounts that have the ConditionalAccessPolicy setting set to ReadOnly (or ReadOnlyPlusAttachmentsBlocked)
The policy will take effect in a few hours. Users of non-compliant devices will no longer be able to download attachments from Outlook on the web once the new rule takes effect and when also part of ConditionalAccess Policy
Creating a limited access environment for SharePoint Online
Launch SharePoint Admin Portal and enable the limited access
Or Alternative set this via PowerShell Command
Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
Create ConditionalAccess Policy to apply on users
Select the users / security groups that you want to apply the policy to
Select Cloud Apps:
Exchange Online
SharePoint Online
In Sessions, Select Use app enforced restrictions
In the second CA policy (Block access for apps), the app is blocked from being accessed by unmanaged devices like Outlook, OneDrive etc.
End User Experience
Login to OWA, and validate the results
Similarly, OneDrive reflects below message.
