SharePoint Online, Authentication Tags and Conditional Access. What’s not to like?

I should start with a warning. The feature we are going to talk about is new. Brand new. Please start by reading the limitations that come with this feature, and I strongly suggest to only apply this in test or demo environments.

That being said, I want to point out how psyched I am about this new functionality. Despite the limitations, this is something you should start to look in to. In the meantime, I’ll keep updating this post with feedback and news around this topic.

Conditional Access & Authentication Tags

Conditional Access is the powerful centerpiece of many M365 environments these days. Workloads are being protected with Zero Trust approach, which means you should challenge every request to your resources.

SharePoint already offers a decent amount of security options. For example, you can control, limit, or block access from unmanaged devices on site-level or organization-wide. This feature is also backed with conditional access.

Now you can go one step further. You can now apply more granular policies on sites that contain highly confidential content. This is done by using Authentication tags. This tag can be attached to a specific SharePoint site. Next, you can create a Conditional Access policy to specify the conditions and controls. Multiple policies can share the same tag.

Here is the format of the tags that we are going to use later:

Level 1urn:microsoft:req1
Level 2urn:microsoft:req2
Level 3urn:microsoft:req3

I created this overview to give you an idea of what’s possible.

Prerequisites

There are some prerequisites to use this feature:

  • Azure AD Premium P1 license
  • Latest SharePoint Online PowerShell module

You can find the latest version of the SharePoint Online PowerShell Module here or by running:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

Creating the policy

At the moment of writing this feature does work on all tenants, but the setting is hidden. Registration for this feature is not needed, but would be appreciated. You can access the preview feature by using this URL:

https://portal.azure.com/?causeractions=true&caaccessrequirementsactions=true#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies

You’ll be redirected to your Azure AD Conditional Access page. Create a new policy by clicking the + New Policy button. Name your policy as you like. Go to the User actions section and select Accessing secured app data. For this example, we use Level 1 as our Authentication tag.

Next, select a test user or group and select the required access control. In this demo, we are going to require MFA for SharePoint sites with the Level 1 tag. Save the policy.

Add the authentication tag to the SharePoint site

The policy is now active, but since we did not attach any site to any of the tags, MFA is not forced for the users. We now have to add this tag to the SharePoint Online site.
Currently, this is only possible with PowerShell.

Fire up Powershell and connect to your SPO admin site. Replace the URL for your own admin URL.

Connect-SPOService -url https://sharingiscaring-admin.sharepoint.com

You can find your personal admin URL using this link: https://admin.microsoft.com/sharepoint

Next, add the tag to the specific SharePoint site by using this command:

Set-SPOSite -Identity https://sharingiscaring.sharepoint.com/sites/DemoSite -ConditionalAccessPolicy ProtectionLevel -ProtectionLevelName "urn:microsoft:req1"

Note that we use the urn:microsoft:req1 tag here. This corresponds to the Level 1 Authentication tag that we used in the Conditional Access policy. The tag can be added to multiple sites. (see overview)

Now give it a couple of minutes before you test this.

To remove a site from a certain level, you can either delete or disable the policy or re-run the cmdlet with an empty string:

Set-SPOSite -Identity https://sharingiscaring.sharepoint.com/sites/DemoSite -ConditionalAccessPolicy ProtectionLevel -ProtectionLevelName ""

User experience

Let’s take a look at the end-user experience. Let’s access SharePoint. The user is not prompted for MFA (assuming you did not apply any other policies).

When the user accesses the Demo Site, the user is prompted for MFA.

I have tried a couple more controls such as Block access or Require device to be marked as compliant. You can find the results in the sign-ins logs in Azure AD.

Limitations

There a couple of known limitations that you should be aware of:

  • OneDrive Sync client will not be able to sync libraries in a site with this policy applied
  • Office files will only load in the Office Web Apps (Word, Excel, PowerPoint)
  • The Teams App (desktop and web) will not load the files. To interact with the files, direct navigation to the site in SharePoint is required.
  • Outlook Web App will not be able to add file attachments to an email pulling from the site. To send a file located in the site collection, navigate to the site URL and use the “Share” options to send a link. Access is subject to the policy.
  • Workflows will no longer on the site. Workflow authentication does not work MFA requirements.

Let’s wrap up

This feature can be used as an extra layer of security for specific SharePoint sites. Despite the limitations (mostly integration issues), this is useful in a couple of scenarios. For example, organizations can now push single SPO sites to Microsoft Cloud App Security app control and can design more granular policies for access on site-level. Overall, it’s good to know that this feature is now out there. If you have an interesting use case where you can use this feature, let me know in the comments!

Stay safe!

7 thoughts on “SharePoint Online, Authentication Tags and Conditional Access. What’s not to like?”

    1. I think it requires a P1 license, because it’s using the Condtional Access feature. It’s going to be integrated with sensitivity labeling soon. Not sure what that does with the license requirements.

  1. Pingback: Accessing SharePoint and OneDrive content on unmanaged devices – More than just ConfigMgr

  2. Nice read, I just passed this onto a colleague who was doing a little research on that. And he actually bought me lunch because I found it for him smile Thus let me rephrase that: Thanks for lunch!

Leave a Reply

Your email address will not be published. Required fields are marked *