Microsoft Previews Azure Active Directory Limited Access for SharePoint and OneDrive
Microsoft today announced a preview of a new Azure Active Directory management option that's designed to thwart "data leakage" scenarios when users access SharePoint or OneDrive using unmanaged or noncompliant devices.
This new control, called "Limited Access to SharePoint and OneDrive" in Microsoft's announcement, is a setting option that lets IT pros specify browser-only access to SharePoint or OneDrive from such devices, or it can be set to block all access by those devices. If set to browser-only access, the Limited Access Azure AD feature disables the ability to download and print documents or to synchronize data on those devices, which is conceived as a data leakage problem.
Management Portal Access
The Limited Access Azure AD option is accessed within the SharePoint Admin Center, according to an announcement today by Bill Baer, a senior technical product manager on Microsoft's SharePoint team. The SharePoint Admin Center is an option within the Office 365 Admin Center portal.
The new Limited Access Azure AD option likely is accessible as well via the Azure Portal. Microsoft has now centralized all of its conditional access policies for Azure AD and Microsoft Intune in the Azure Portal, according to Alex Simons, director of program management at the Microsoft Identity Division, in a recently published Microsoft video. The Azure Portal reached the "general availability" (GA) stage more than a year ago, while Azure AD conditional access capabilities hit GA status in October, but Microsoft had explained back then that Azure Portal integration of Azure AD conditional access capabilities was still lagging somewhat.
This week, Microsoft asked organizations to use the Azure Portal, rather than the so-called "classic portal," so that some Azure AD administrative capabilities can reach GA in about 60 days' time, according to an earlier announcement from Simons. However, other Azure AD capabilities in the Azure Portal will still lag, he indicated, including "Azure Active Directory Domain Services, MFA provider management, schema editing for provisioned apps, and a few reports including enterprise state roaming status, invitation summary, unlicensed usage, and MIM hybrid reports."
Requirements and Limitations
The new Limited Access Azure AD feature requires having an Azure AD Premium P1 subscription in place, according to Baer's announcement. Microsoft considers conditional access in Azure AD to be a Premium capability. In addition, a subscription to the Microsoft Intune mobile management service is required to use the Limited Access Azure AD control.
The new Limited Access Azure AD control doesn't work for files that can't be viewed online, such as zip files, Baer clarified. Instead, a different setting can be used to block those downloads. However, using that setting "will result in a read-only experience for the end users and customizations maybe affected," Baer added. It's not clear from Baer's announcement exactly what that setting is, though.
Microsoft's announcement of the new Limited Access Azure AD preview apparently is strictly referring to the "OneDrive" cloud-based storage service that's used by consumers. It's apparently not referring to "OneDrive for Business," used by organizations.
A different mechanism is used to block synchronization by OneDrive for Business, Office clients and mobile apps. Such blocking is done by setting conditional access (CA) policies to permit access by managed devices only, according to Baer's announcement. However, that capability may also require a subscription to the Azure Rights Management Service (RMS). Here's how Baer described that nuance:
To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices. For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access. For additional security on HBI [high business impact] data you should also consider using Azure RMS.
So, while the new feature may sound good, organizations might have to figure out which features are supported by which licenses. Or, if cost isn't a hindrance, organizations can just buy Microsoft's upper-tier Secure Productive Enterprise licensing, which includes Azure AD Premium, Microsoft Intune and Azure RMS licensing.
Why Azure AD?
Organizations may be wondering why they should need Azure AD, which taps Microsoft's "cloud" datacenters, over their traditional premises-based Active Directory. The answer seems to be to enable single sign-on to Office 365 and software-as-a-service applications, as well as the enforcement of multifactor authentication security, according to an answer by "Brittany for Microsoft" in a recent Spiceworks forum post.
Azure AD is also seen as useful for roaming enterprise app settings, supporting Windows Hello for Business biometric logins, enabling self-service capabilities such as the retrieval of BitLocker keys and enabling conditional access for mobile devices, according to "JairoC" of the Microsoft engineering team, in a recent Ask Me Anything Azure AD session.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.