News

Microsoft Previews Conditional Access Feature for SharePoint Online

• By Kurt Mackie
• January 20, 2017

A preview of a new conditional access capability for Microsoft SharePoint Online and OneDrive for Business users is now rolling out to "first release" testers.

Microsoft described the feature as a "conditional access by network location" security capability. It's a free addition to those services that's designed to thwart "data leakage" scenarios in which restricted information could get dispersed.

The company expects to release the feature on Jan. 20 to all "commercial and GCC [Government Community Cloud] tenants, and will not require additional licensing," Microsoft explained in a Microsoft Tech Community blog post late last week.

IT pros can use the SharePoint Admin console to define the network boundaries for this feature. Essentially, they provide "whitelisted address ranges" for end users in an organization. A user who tries to access SharePoint Online or OneDrive for Business outside those whitelisted addresses will get blocked and will see an "access restricted" message. Policy set via the console in this way will apply across an organization's Office 365 tenant for the SharePoint Online and OneDrive for Business services.

The new conditional access capability is just for SharePoint Online and OneDrive for Business users, though. It's not for SharePoint Server users.

"These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies," Microsoft's announcement explained.

The new conditional access feature is turned off by default. IT pros wanting to use it have to enable it via the console. Microsoft noted some caveats, though, when activating it. If an IT pro omits his or her machine's IP address from the range of whitelisted IP addresses, then it'll "lock out the admin session." In such cases, Microsoft support will need to be contacted.

Conditional access policy configurations using Microsoft's Azure Active Directory Premium service will get "interpreted first, followed by the SharePoint policy," Microsoft explained. For instance, if an IP address was blocked with the Azure Active Directory Premium service, it cannot be enabled using the SharePoint Online conditional access feature.

Microsoft also warned that users of its collaboration applications could see "unpredictable results" under certain conditions when using the new conditional access feature, especially users who aren't on the whitelist.

"For collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist."