Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.

Choose Intune App Protection and select All Settings in the Intune mobile application management blade.

Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.

The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.

Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.

SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.

SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.

Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......

No comments:

Post a Comment