Site-Scoped Limited Access Policies in SharePoint Online

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline or synchronized with OneDrive.

On September 1st, 2017 we’ve continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.

In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.


The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess
Comments (7)

  1. Ralph Goebel says:


    doest this mean that it would be possible to enforce MFA for a subset of sites? This would be great 🙂

    Thanks and regards


    1. Not at this time. The current policy allows for establishing a device-based limited access policy that limits the interaction with one or more sites from unmanaged or non-compliant devices.

  2. Michael Hildebrand (MSFT) says:

    FYI – this requires Azure AD Conditional Access that is part of Azure AD Premium Plan 1/P1 (which is included in EMS E3).

  3. Patrick Spieler says:

    How this can be applied to a specific SiteCollection?

    1. You can use the Set-SPOSite cmdlet as documented to configure one or more site collections.

  4. We don’t seem to get this to work.

    When we set the policy the is no obvious error. If I check the Policy via PowerShell it reports LimitedAccess:

    Get-SPOSite | select Url,ConditionalAccessPolicy,SharingAllowedDomainList,SharingBlockedDomainList,SharingCapability,SharingDomainRestrictionMode

    When I test with different devices I don’t get the yellow header. So I checked all sites via Get-SPOSite -limit all | ft Url,ConditionalAccessPolicy all sites report to be set to FullAccess

    What could be the issue?

  5. Rob Joyner says:

    It’s not totally clear from this how you control the scope of the “AllowLimitedAccess” options. Can this point to any existing conditional access policy, so for example if we had an access policy configured in Azure with the name “Block_Access_From_Somewhere” would you use Set-SPOSite -Identity -ConditionalAccessPolicy Block_Access_From_Somewhere

Skip to main content