Many companies work towards improving their security posture by taking extra measures to protect their data. One of these measures is to control where company data can be stored. Much of it might be stored in SharePoint, which is widely used by organizations, and you might not want to allow this data to be downloaded to unmanaged devices. The main reason for this is that unmanaged devices are considered less secure. Therefore it might not be desirable to store a bunch of company data on these devices. Luckily there are ways to prevent this in SharePoint. When configured, users on an unmanaged device that tries to download a file will be met by this message:
This is achieved by using Azure Conditional Access policies in combination with SharePoint Access control settings. In essence, the conditional access policies can be configured to check the SharePoint settings to decide what the user can do within their session. Let’s have a look at how this is configured. First, the settings on the SharePoint side can be found in the SharePoint admin center under Policies | Access Control. There are several settings here, but to block downloads on unmanaged devices we need to chose the setting Unmanaged devices.
We have the option to either allow full access (default), Allow limited access (block print, download) or block all access. Note that the settings here are organization-wide for all SharePoint sites. If you want to configure this for specific sites, I recommend checking out the link on the blade in the screenshot above: Learn how to control access to specific sites by using Microsoft PowerShell.
When configuring this setting, two policies will be created in Azure conditional access.
Name: [SharePoint admin center]Block access from apps on unmanaged devices – 2020-06-25
Assignments
Users and Groups: All Users
Cloud apps or actions: Office 365 SharePoint Online
Conditions
Client apps: Modern Authentication clients
Access controls
Grant: Require device to be marked as compliant OR Require Hybrid Azure AD joined device
Name: [SharePoint admin center]Use app-enforced Restrictions for browser access – 2020-06-25
Assignments
Users and Groups: All Users
Cloud apps or actions: Office 365 SharePoint Online
Conditions
Client apps: Browser
Access controls
Session: Use app enforced restrictions
These policies can of course be customized to suit ones needs, or you could delete them and create your own. Here is the one I created:
As soon as the SharePoint setting and the Conditional access policy is in place, your company data should be a little bit safer.
Chris Sonko tech blog 
Leave a comment