In this video, Pete Zerger demonstrates how to limit the user experience in a browser-based access scenario using session controls in conditional access policies. Learn how session controls enable users to be productive, while ensuring corporate data is n
- [Narrator] On the topic of per-app access requirements in Azure AD conditional access policies, we're going to look at session controls. Session controls enable limiting experience within a cloud app, and this is a new feature within conditional access. The session controls are enforced by the cloud app and rely on additional information provided by Azure AD to the app about the session. Currently only SharePoint Online supports this feature. And limiting means you can allow access to SharePoint and OneDrive which is what's behind Sharepoint document libraries from an unmanaged device by granting browser-only access with download, print, and sync disabled.
Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device. There are three steps to enabling this scenario which I'll show you now. And when we're done, we'll look at the user experience. So we'll begin by configuring an access-allowed conditional access policy for compliant devices. So I'll, in my Azure portal, select my default directory and conditional access. And again, because the conditional access policies do sometimes take a few minutes to take effect, I'm going to walk you through the settings of a preconfigured policy.
So I'll select first my SharePoint-compliant device policy here, and we'll just walk through the settings. So I'm going to apply this to all users, again understanding I could apply this to specific users or scope to groups. From my cloud apps area here, I've selected only Office 365 SharePoint Online. And I've established a couple of conditions here. So if I look under my conditions, you'll see that I'm selecting both the browser-based and mobile and desktop apps for SharePoint access from my compliant devices.
And under my access controls, you'll see that I'm granting access but requiring the device to be domain-joined. Keeping in line with best practices, I could enforce multiple controls including multi-factor authentication. So that's step one. In step two, we'll configure a limited experience conditional access policy for browser access from those non-compliant devices. So I'll select my limited user experience policy, again applying to all users.
And again in the cloud apps area here, I've selected Office 365 SharePoint Online. And I have one condition here. So this time in the client apps area, you'll see that I've selected Browser as the experience I would like to limit. Now we'll scroll down to access controls. And under access controls, you'll see that I'm requiring multi-factor authentication, just keeping with best practices. And I've also, in a new area we've not touched on before, the session area here, I've selected session controls enable limited experiences within a cloud app.
Again, this is only effective for SharePoint Online today, but we can expect to see this feature spread out to other cloud apps in the future. And I've enabled that policy. Now there's actually a third step, and it's not a step we perform in conditional access at all. It actually happens in SharePoint. So I will go to my Office 365 panel. I'll select the Admin area which will take me to the Admin screen. I will select the SharePoint Admin area.
It's going to drop me into the SharePoint admin center. And I will select device access down here at the very bottom. And this will expose to me some controls that allow me to limit that experience. So you'll notice here that under item two, I can allow limited access, web-only without the download, print, and sync commands. And I can actually block access for files that can't be viewed on the web, or I could allow them to be downloaded. Personally, since we're limiting the download experience in the first place, I think that block control makes pretty good sense.
So right now, I'm on a managed device. This is a Windows 10 machine. It's domain-joined, so it fits our definition of compliant. So with all three required settings configured, I'm now going to go back to my Office 365 panel and I'll launch SharePoint Online. So this should take me to my SharePoint homepage. I should be able to click on document libraries. And since I'm on a managed device, I should have full fidelity in terms of the user experience, meaning I'll see the sync options, the download options, all of the normal controls that I would expect in a fully-managed scenario.
There's no unmanaged item here to worry about. So here I'm on the kineteco IT site, and you'll notice I have the full range of controls and download included. Now I've also pulled this site up on an unmanaged device. And you'll notice here that I get the same site with the same credentials, but you'll notice that I'm missing, when we look closely, some of the controls that would allow me to sync content down to my device.
And you'll notice there's no little radio button for me to select that document in order to download. So that is our limited device experience. And likewise, if I attempted to print, I would be blocked. So in the end, I can not only control the authentication experience but also prevent certain types of data access, preventing potential data leakage in untrusted scenarios with Azure AD conditional access policies and the new session controls feature.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups