☕ SharePoint Tip #24 — Conditional Access: securing SharePoint without blocking users

Posted on May 12, 2026 by Hakan MARANGOZ

Good morning! Here is your 15-minute SharePoint tip for today.

Day 24 | Week 4 — Product Owner Mastery

Conditional Access and Device Compliance

Conditional Access is how your organisation ensures that only the right people, on the right devices, in the right locations, can access SharePoint. As a Product Owner you need to understand how these policies affect the user experience.

What is Conditional Access?

Conditional Access is an Azure Active Directory feature that evaluates every sign-in attempt against a set of conditions before granting access. It’s like a smart bouncer for SharePoint.

Conditions can include:

Who is signing in (specific user, group, or role)
Where they are (corporate network, home, foreign country)
What device they’re using (corporate-managed, personal, compliant)
What app they’re accessing (SharePoint, Teams, Exchange)

The three Conditional Access outcomes for SharePoint

Full access — managed, compliant device + known location + MFA completed = unrestricted SharePoint access including downloading files.

Limited access (browser only) — unmanaged or personal device = SharePoint accessible in browser only. No file download, no sync. Users can view and edit online but cannot take files locally. This is Microsoft’s "unmanaged device" policy for SharePoint.

Blocked — high-risk sign-in, non-compliant device, or blocked location = access denied entirely.

The SharePoint-specific access control settings

In the SharePoint Admin Center → Policies → Access control:

Unmanaged devices — choose: full access, browser-only, or blocked
Idle session sign-out — automatically sign out inactive browser sessions after X minutes
Network location — restrict SharePoint access to specific IP ranges (e.g. office network only)

Impact on user experience

Browser-only mode is the most common source of user complaints after a security policy change. Users say "I can’t download files anymore." The answer is: your device is not enrolled in mobile device management (MDM). Enrol the device → full access restored.

Try it today (5 minutes)

In the SharePoint Admin Center → Policies → Access control → Unmanaged devices. What is your current setting? If it says "Allow full access," consider whether "Allow limited, browser-only access" would be more appropriate for your organisation’s security posture — especially for contractor and BYOD scenarios.

As a Product Owner

Conditional Access policies are security decisions with UX consequences. Always test policy changes with real users before rolling out broadly. A policy that blocks 200 people from accessing SharePoint on a Monday morning is a product incident, not just a security setting.

See you tomorrow at 6:00 AM with Tip #25 — SharePoint Copilot and the AI future!