Device-based Policies Updates with SharePoint and OneDrive

The risks to information exposure have increased in today’s collaboration landscape because users don’t always work on desktop computers. Access controls now need to account for users connecting their mobile devices to non-secure networks or using their own unmanaged devices. These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It considers the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

In March 2017 we introduced device-based policies for SharePoint and OneDrive, enabling administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive in help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices.

On September 1st, 2017 we’ll continue to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged to edit Office Online documents in the browser.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.


The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

We understand that there is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.  Learn more about how we address our customers security and compliance concerns with the resources here.

eBook – Securing your content in the new world of work with SharePoint and OneDrive

Visual Interactive – Share with confidence with SharePoint and OneDrive

Learn more about device-based policies at

Comments (7)

  1. Kapila Munaweera says:

    Would like to similar per site collection setting for MFA

  2. Albert Hoitingh says:

    Hi Bill,

    Great article. I’m trying to set this policy on my tenant using this cmdlet:

    Set-SPOSite -Identity -AllowLimitedAccess $True -BlockDownloadOfNonViewableFiles $True

    But unfortunatly, I get an “Set-SPOSite : Field or property “AllowLimitedAccess” does not exist” error. Could this be because my tenant (1st release) has not yet been provisioned for this function?

    Any help is appreciated!

    Kind regards,


    1. We’ve updated the CmdLet, please use Set-SPOSite -ConditionalAccessPolicy AllowFullAccess | AllowLimitedAccess

  3. Bill Hughes says:

    Hey Bill – Any timeline on when we will be able to link specific sites with specific AAD/Intune Conditional Access Policies?

    1. Something we’re working on, stay tuned.

  4. Chris Clark says:

    Hi Bill –

    It looks like the SharePoint Admin UI is having issues. You can’t set this and have the setting stick. I was able to set -allowlimitedaccess for the top level site, but is there a way to set it for the whole SP tenant, including OneDrive, Groups, Teams, etc. Also -allowlimitedaccess allows you to edit in Office Online. Can we restrict this further to read only?

    1. Site-scoped device policies are designed to be more restrictive than those configured at the Tenant-level. When opting to use site-scoped policy, the Tenant-level access policy needs to be configured to allow full access from unmanaged devices. With the Tenant-level policy configured, site-scoped policies can then be configured. With site-scoped policies, users on unmanaged devices are allowed edit access to content they have permission too to support collaboration on that content – there is no read-only option in the current release. For cross-suite policy, I would recommend policy configured via AAD. -Thanks, Bill

Skip to main content