I should start with a warning. The feature we are going to talk about is new. Brand new. Please start by reading the limitations that come with this feature, and I strongly suggest to only apply this in test or demo environments.
That being said, I want to point out how psyched I am about this new functionality. Despite the limitations, this is something you should start to look in to. In the meantime, I’ll keep updating this post with feedback and news around this topic.
Conditional Access & Authentication Tags
Conditional Access is the powerful centerpiece of many M365 environments these days. Workloads are being protected with Zero Trust approach, which means you should challenge every request to your resources.
SharePoint already offers a decent amount of security options. For example, you can control, limit, or block access from unmanaged devices on site-level or organization-wide. This feature is also backed with conditional access.
Now you can go one step further. You can now apply more granular policies on sites that contain highly confidential content. This is done by using Authentication tags. This tag can be attached to a specific SharePoint site. Next, you can create a Conditional Access policy to specify the conditions and controls. Multiple policies can share the same tag.
Here is the format of the tags that we are going to use later:
I created this overview to give you an idea of what’s possible.
There are some prerequisites to use this feature:
- Azure AD Premium P1 license
- Latest SharePoint Online PowerShell module
You can find the latest version of the SharePoint Online PowerShell Module here or by running:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
Creating the policy
At the moment of writing this feature does work on all tenants, but the setting is hidden. Registration for this feature is not needed, but would be appreciated. You can access the preview feature by using this URL:
You’ll be redirected to your Azure AD Conditional Access page. Create a new policy by clicking the + New Policy button. Name your policy as you like. Go to the User actions section and select Accessing secured app data. For this example, we use Level 1 as our Authentication tag.
Next, select a test user or group and select the required access control. In this demo, we are going to require MFA for SharePoint sites with the Level 1 tag. Save the policy.
Add the authentication tag to the SharePoint site
The policy is now active, but since we did not attach any site to any of the tags, MFA is not forced for the users. We now have to add this tag to the SharePoint Online site.
Currently, this is only possible with PowerShell.
Fire up Powershell and connect to your SPO admin site. Replace the URL for your own admin URL.
Connect-SPOService -url https://sharingiscaring-admin.sharepoint.com
You can find your personal admin URL using this link: https://admin.microsoft.com/sharepoint
Next, add the tag to the specific SharePoint site by using this command:
Set-SPOSite -Identity https://sharingiscaring.sharepoint.com/sites/DemoSite -ConditionalAccessPolicy ProtectionLevel -ProtectionLevelName "urn:microsoft:req1"
Note that we use the urn:microsoft:req1 tag here. This corresponds to the Level 1 Authentication tag that we used in the Conditional Access policy. The tag can be added to multiple sites. (see overview)
Now give it a couple of minutes before you test this.
To remove a site from a certain level, you can either delete or disable the policy or re-run the cmdlet with an empty string:
Set-SPOSite -Identity https://sharingiscaring.sharepoint.com/sites/DemoSite -ConditionalAccessPolicy ProtectionLevel -ProtectionLevelName ""
Let’s take a look at the end-user experience. Let’s access SharePoint. The user is not prompted for MFA (assuming you did not apply any other policies).
When the user accesses the Demo Site, the user is prompted for MFA.
I have tried a couple more controls such as Block access or Require device to be marked as compliant. You can find the results in the sign-ins logs in Azure AD.
There a couple of known limitations that you should be aware of:
- OneDrive Sync client will not be able to sync libraries in a site with this policy applied
- Office files will only load in the Office Web Apps (Word, Excel, PowerPoint)
- The Teams App (desktop and web) will not load the files. To interact with the files, direct navigation to the site in SharePoint is required.
- Outlook Web App will not be able to add file attachments to an email pulling from the site. To send a file located in the site collection, navigate to the site URL and use the “Share” options to send a link. Access is subject to the policy.
- Workflows will no longer on the site. Workflow authentication does not work MFA requirements.
Let’s wrap up
This feature can be used as an extra layer of security for specific SharePoint sites. Despite the limitations (mostly integration issues), this is useful in a couple of scenarios. For example, organizations can now push single SPO sites to Microsoft Cloud App Security app control and can design more granular policies for access on site-level. Overall, it’s good to know that this feature is now out there. If you have an interesting use case where you can use this feature, let me know in the comments!