SharePoint Online Users Getting Network Conditional Access Protection

Microsoft will issue a preview of a new conditional access capability for organizations using SharePoint Online and OneDrive for Business, starting on Friday.

Specifically, Microsoft plans to release a "conditional access by network location" security capability, which will be available for "first release" testers on Jan. 20. It's a free addition to those services that's designed to thwart "data leakage" scenarios in which restricted information could get dispersed.

The first release of this conditional access by network location security feature will be available on Jan. 20 to all "commercial and GCC [Government Community Cloud] tenants, and will not require additional licensing," Microsoft explained, in a Microsoft Tech Community blog post late last week.

IT pros can use the SharePoint Admin console to define the network boundaries for this feature. Essentially, they provide "whitelisted address ranges" for end users in an organization. A user who tries to access SharePoint Online or OneDrive for Business outside those whitelisted addresses will get blocked and will see an "access restricted" message. Policy set via the console in this way will apply across an organization's Office 365 tenant for the SharePoint Online and OneDrive for Business services.

The new conditional access capability is just for SharePoint Online and OneDrive for Business users, though. It's not for SharePoint Server users.

"These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies," Microsoft's announcement explained.

The new conditional access feature is turned off by default. IT pros wanting to use it have to enable it via the console. Microsoft noted some caveats, though, when activating it. If an IT pro omits his or her machine's IP address from the range of whitelisted IP addresses, then it'll "lock out the admin session." In such cases, Microsoft support will need to be contacted.

Conditional access policy configurations using Microsoft's Azure Active Directory Premium service will get "interpreted first, followed by the SharePoint policy," Microsoft explained. For instance, if an IP address was blocked with the Azure Active Directory Premium service, it cannot be enabled using the SharePoint Online conditional access feature.

Microsoft also warned that users of its collaboration applications could see "unpredictable results" under certain conditions when using the new conditional access feature, especially users who aren't on the whitelist.

"For collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube