Microsoft 365 – How to block SharePoint sites access / Microsoft 365 Apps to the users via Browser – setting up policy in SharePoint admin center / Azure admin center

Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access

Hi All,

Greetings for the day 🙂 LIFE IS BEAUTIFUL 🙂

Background :

Recently we got a requirement that SharePoint admin user shouldn’t access SharePoint sites / Microsoft 365 Apps via browser

This is because we have migration team and wants to allow them only to execute PowerShell CMDLETS and nothing to access site / Microsoft 365 Apps through browser or admin center

Even this is new for me so bit research and as usual SHARING IS CARING 🙂

Following are the detailed steps :

M365 - SharePoint admin center
fig : M365 – SharePoint admin center >> Policies >> Access control
  • We will be redirected to Access Control page
  • From Access control page select the option – Unmanaged devices
M365 - SharePoint admin center >> Policies >> Access control >> Unmanaged devices
fig : M365 – SharePoint admin center >> Policies >> Access control >> Unmanaged devices
  • On selection of Unmanaged devices option, right pane will be open as
SharePoint admin center >> Policies >> Access control >> Unmanaged devices >> Block access
fig : SharePoint admin center >> Policies >> Access control >> Unmanaged devices >> Block access
  • From right pane, select “Block access” and click on “Save” button. – This action will
    1. Block all the SharePoint site access to all users from browser
    2. Important point New policy will be created in Azure admin center (https://portal.azure.com/) under Security >> Conditional Access with name – [SharePoint admin center]Use app-enforced Restrictions for browser access – 2021/11/19
    3. Please note the naming convention for the policy created in Azure Admin Center
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access
  • To block for specific users we need to edit this policy from Azure admin center – https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
  • Click on policy to edit and from “Assignments” section, under “Users or workload identities” click on “Specific users included
  • From right side options from drop-down – “What does this policy apply to?” select “Users and groups” option
  • Under “Include” section select – “Select users and groups” >> “Users and groups” >> “Select” option  
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups
  • Right pane will open to select user and groups as
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups  - selecting the users or groups to block
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Users or workload identities >> Select users and groups >> Users and groups  – selecting the users or groups to block
  • From right pane – “Select”, search the user or group for which we need to block the SharePoint sites and click on bottom button – Select
  • When respective users try to access the SharePoint site (even though any SharePoint Admin), “Access Denied” error will come as
Access denied error for the users to whom “Block Access” policy is created
fig : Access denied error for the users to whom “Block Access” policy is created
  • To block other apps like – Azure DevOps , Azure Key Vault, Microsoft Flow, Microsoft Forms and so on, from “Cloud apps or actions” as
Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Cloud apps or actions >> Include >> select apps
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Cloud apps or actions >> Include >> select apps
  • Search for respective app and select those. Those app will be blocked for the respective users or group

To block desktop clients and mobile apps under Conditions >> Client apps >> Check – Mobile apps and desktop clients as

Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Conditions >> Client apps >> Mobile apps and desktop clients
fig : Azure Active Directory admin center >> Azure Active Directory >> Security >> Conditional Access >> Assignments >> Conditions >> Client apps >> Mobile apps and desktop clients

Thanks for reading 🙂 If it is worth to share, kindly please like and share 🙂

HAVE A GREAT TIME AHEAD 🙂 STAY HEALTHY, POSITIVE 🙂

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: