Last week I started with this series of blog posts about conditional access for PCs. I started with the requirements for conditional access for PCs. This week, in the second part of this blog series, I’ll build onto those requirements by adding the SharePoint Online Policy and the Compliance Policy. After those configurations are in place, I’ll finish, this second part of this blog series, with the end-user experience.
Note: This post shows a few identical configurations as I also mention in the third part of this blog series. This allows one to configure the SharePoint Online Policy without going through the configuration of the Exchange Online Policy.
Configuration
The configuration of conditional access for PCs contains two actions. The first action is to configure the SharePoint Online Policy and the second action is to configure the Compliance Policy.
SharePoint Online Policy
Now let’s start with the first action, which is the configuration of the SharePoint Online Policy. This policy is used to manage access to OneDrive for Business files located on SharePoint Online, based on the configured conditions.
The configuration of the SharePoint Online Policy is the same for both Microsoft Intune standalone and Microsoft Intune hybrid. The road to the setting might differ, but, in the end, the configuration has to be performed from the Microsoft Intune administration console.
Note: For testing the end-user experience I’ve tested the SharePoint Online Policy with all three possible configurations for Windows devices.
Compliancy Policy
The next action is the configuration of the Compliance Policy. This policy defines the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. A good thing to keep in mind is that it’s not required to configure and deploy a Compliance Policy. When no Compliance Policy is configured and deployed, the device will automatically be considered compliant.
The configuration of the Compliance Policy differs between Microsoft Intune standalone and Microsoft Intune hybrid.
Note: It’s possible to create multiple Compliance Policies for different devices, or different scenarios. After creating the different policies, don’t forget to the deploy the policies to users, or computers.
End-user experience
After the complete configuration is done, it’s time to look at the end-user experience for the most common used Office applications. In this case I’m talking about the end-user experience of a blocked user, as the end-user experience of an allowed user doesn’t differ from any other Office experience.
When the end-users’ device is not compliant, or not joined to the domain, the end-user can get the messages as shown below when the end-user is trying to access files on SharePoint Online. The not compliant message will also show when the combined option is configured. The examples are shown for Word 2013, Excel 2013 and PowerPoint 2013. In that order.
Initial | Not compliant | Not domain joined |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Note: At this moment this works perfect for Office 2013. However, with Office 2016 I’m still experiencing some weird behavior with multiple apps, like Word 2016 and PowerPoint 2016. To be continued.
More information
For more information about the SharePoint Online Policy and the Compliance Policy, that are used for conditional access for PCs, please refer to the following links:
- Conditional Access for SharePoint Online in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131419.aspx
- Manage SharePoint Online access with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705844.aspx
- Compliance Policies in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131417.aspx
- Manage device compliance policies for Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705843.aspx
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
What is the user experience for failing compliance on Windows 7?
I have just set my SharePoint Online conditional access policy in InTune (standalone) to “Devices must be domain joined” and successfully opened a Word document stored in SharePoint from a NON-domain joined Win 7 PC. Not what I was expecting.
Are those devices configured to use modern authentication?
That was the problem. Hadn’t set the reg value for EnableADAL.
Thanks.
I’m helping a friend with this configuration for a small bussiness. I need to block access to sharepoint online from any device (no matter if the device is using modern authentication or not) and only allow access to secure PCs. Is this possible?
As I understand the policy only applies to devices with modern authentication enabled, but how can I enforce that only some devices access my corporate information if all the -non modern authentication devices- can log in? Hope you can help on this. Regards.
Modern authentication is really required to make this possible.
Not able to see the ” Device must be complaint or Domain Joined” tab on my tenant ?
At this moment conditional access for Windows 10 devices is only available via a Microsoft Connect program.