Microsoft 365 – How to block SharePoint sites access / Microsoft 365 Apps to the users via Browser – setting up policy in SharePoint admin center / Azure admin center

Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access

Hi All,

Greetings for the day πŸ™‚ LIFE IS BEAUTIFUL πŸ™‚

Background :

Recently we got a requirement that SharePoint admin user shouldn’t access SharePoint sites / Microsoft 365 Apps via browser

This is because we have migration team and wants to allow them only to execute PowerShell CMDLETS and nothing to access site / Microsoft 365 Apps through browser or admin center

Even this is new for me so bit research and as usual SHARING IS CARING πŸ™‚

Following are the detailed steps :

M365 - SharePoint admin center
fig : M365 – SharePoint admin center >> Policies >> Access control
  • We will be redirected to Access Control page
  • From Access control page select the option – Unmanaged devices
M365 - SharePoint admin center >> Policies >> Access control >> Unmanaged devices
fig : M365 – SharePoint admin center >> Policies >> Access control >> Unmanaged devices
  • On selection of Unmanaged devices option, right pane will be open as
SharePoint admin center >> Policies >> Access control >> Unmanaged devices >> Block access
fig : SharePoint admin center >> Policies >> Access control >> Unmanaged devices >> Block access
  • From right pane, select β€œBlock access” and click on β€œSave” button. – This action will
    1. Block all the SharePoint site access to all users from browser
    2. Important point New policy will be created in Azure admin center (https://portal.azure.com/) under Security >> Conditional Access with name – [SharePoint admin center]Use app-enforced Restrictions for browser access – 2021/11/19
    3. Please note the naming convention for the policy created in Azure Admin Center
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
  • To block for specific users we need to edit this policy from Azure admin center – https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
  • Click on policy to edit and from β€œAssignments” section, under β€œUsers or workload identities” click on β€œSpecific users included”
  • From right side options from drop-down – β€œWhat does this policy apply to?” select β€œUsers and groups” option
  • Under β€œInclude” section select – β€œSelect users and groups” >> β€œUsers and groups” >> β€œSelect” option Β 
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups
  • Right pane will open to select user and groups as
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups  - selecting the users or groups to block
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups  – selecting the users or groups to block
  • From right pane – β€œSelect”, search the user or group for which we need to block the SharePoint sites and click on bottom button – Select
  • When respective users try to access the SharePoint site (even though any SharePoint Admin), β€œAccess Denied” error will come as
Access denied error for the users to whom β€œBlock Access” policy is created
fig : Access denied error for the users to whom β€œBlock Access” policy is created
  • To block other apps like – Azure DevOps , Azure Key Vault, Microsoft Flow, Microsoft Forms and so on, from β€œCloud apps or actions” as
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Cloud apps or actions >> Include >> select apps
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Cloud apps or actions >> Include >> select apps
  • Search for respective app and select those. Those app will be blocked for the respective users or group

To block desktop clients and mobile apps under Conditions >> Client apps >> Check – Mobile apps and desktop clients as

Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Conditions >> Client apps >> Mobile apps and desktop clients
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Conditions >> Client apps >> Mobile apps and desktop clients

Thanks for reading πŸ™‚ If it is worth to share, kindly please like and share πŸ™‚

HAVE A GREAT TIME AHEAD πŸ™‚ STAY HEALTHY, POSITIVE πŸ™‚

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: