What’s a conditional access policy?
Conditional access policies help organizations enhance security and compliance by allowing precise control over user authentication in Microsoft 365. Essentially, they function as a series of “if” statements to set specific login conditions. For instance, you could require that all members of a certain group use Multi-Factor Authentication (MFA) to access Microsoft 365: “If the user belongs to group X, then require MFA.”
These policies offer many customization options. For example, you could restrict a group of users to log in only from certain IP addresses: “If the user is part of group X and not logging in from IP address 1.1.1.1, then block access.”
License Requirements
You’re required to have an Azure AD Premium P1, Azure AD Premium P2 license, or Microsoft 365 Business Premium license.
The Conditional access policies are also included in the following licenses:
- Microsoft 365 E3 & E5
- Microsoft 365 F3
- Enterprise Mobility + Security E3 (EMS E3), and E5 (EMS E5)
Enterprise application
We want to see if a conditional access policy can be used to restrict an Enterprise application to download documents from SharePoint Library. In this test scenario the documents are stored in a SharePoint Online Shareflex application, such as Contract Management
Configuration
We created the following conditional access policy. See images below.
Enterprise application testing approach
We have created a button in the end-user interface of the SharePoint Contract Management application that instructs Shareflex Services to download a Word document from the selected contract record. If the policy is working correctly, this download operation by the enterprise app should be blocked.
Results
This policy is not blocking downloads by the enterprise app.