Conditional access is a very interesting feature. It provides an additional level of security. Indeed, access to applications (sharepoint, exchange, etc.) as well as to data can only take place if the user complies with certain conditions. It is common to see conditional access activated to ensure that the MFA is activated or that compliance rules are respected.
We will see a new example. I want to make sure that access to Exchange Online or Sharepoint Online from an IP range or a country gives read-only access to the users concerned by the policy.
Configure OWA for limited Access
We are going to proceed with the configuration of OWA (Outlook web access) to allow the activation of Conditional Access Applied Enforced Restrictions. This feature is by default disabled, so it is necessary to proceed to its activation. Open a Powershell command prompt and enter the command $Credentials = Get-Credential. Enter Office 365 admin credential and click on OK. The credential for connect to Exchange Online has been stored on $Credential variable.
Run the following command for connect to Exchange Online platform. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
Import the Cmdlets with Import-PSSession $Session
For configure Outlook Web Access Policy, run the following command Set-OwaMailBoxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly. The modification is immediate but may take time to really be taken into account.
You can very modification with Get-OwaMailboxPolicy | select conditionalAccess*
Close the session on Exchange Online with Remove-PSSession $Session
Configure Sharepoint Online and Onedrive
Sharepoint Online and Onedrive will be configured to use the conditional access policy. From the Microsoft 365 Admin center, click on Sharepoint.
Click on Policies, Access control then on Unmanaged devices.
Check Allow limited, web-only access and click on Save.
Configure Conditional Access Policy
From the Azure AD portal (https://aad.portal.azure.com/), click on Azure Active Directory then on Security.
Click on Named location for configure new location (ip address range or country).
Click on New location
Enter the name of the location and select IP range or Country. Click on Create for create the new location.
On the Policies, two new policy has been created for Sharepoint. You can delete this two and create your own policy.
From the Policies click on New Policy.
Enter the name of your policy and click on Users.
Select the desired object (groups, users, etc.).
Click on Cloud Apps or actions and select Exchange Online and/or Sharepoint online.
Click on Session and check use app enforced restrictions. Click on Select. Select On for enable policy then click on Create.
Test conditional access policy
The policy has been created. I sign in on Office 365 portal with user. On Exchange Online, Email has been on Read Only mode.
I can read the file but i can’t print or download.
On One Drive, the file can’t be downnloaded or printed.
I can open the file on Word but print is not available.