- Article
- 8 minutes to read
As a SharePoint Administrator or Global Administrator in Microsoft 365, you can block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). You can block or limit access for:
All users in the organization or only some users or security groups.
All sites in the organization or only some sites.
Blocking access helps provide security but comes at the cost of usability and productivity. When access is blocked, users will see the following error.
Limiting access allows users to remain productive while addressing the risk of accidental data loss on unmanaged devices. When you limit access, users on managed devices will have full access (unless they use one of the browser and operating system combinations listed in Supported browsers). Users on unmanaged devices will have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. When you limit access, you can choose to allow or block editing files in the browser. When web access is limited, users will see the following message at the top of sites.
Note
Blocking or limiting access on unmanaged devices relies on Azure AD conditional access policies. Learn about Azure AD licensing For an overview of conditional access in Azure AD, see Conditional access in Azure Active Directory. For info about recommended SharePoint access policies, see Policy recommendations for securing SharePoint sites and files. If you limit access on unmanaged devices, users on managed devices must use one of the supported OS and browser combinations, or they will also have limited access.
Control device access across Microsoft 365
The procedures in this article only affect SharePoint access by unmanaged devices. If you want to expand control of unmanaged devices beyond SharePoint, you can Create an Azure Active Directory conditional access policy for all apps and services in your organization instead. To configure this policy specifically for Microsoft 365 services, select the Office 365 cloud app under Cloud apps or actions.
Using a policy that affects all Microsoft 365 services can lead to better security and a better experience for your users. For example, when you block access to unmanaged devices in SharePoint only, users can access the chat in a team with an unmanaged device, but will lose access when they try to access the Files tab. Using the Office 365 cloud app helps avoid issues with service dependencies.
Block access
Go to Access control in the new SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Note
(Video) How to Restrict Access to OneDrive and SharePoint on Unmanaged DevicesIf you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Access control page.
Select Unmanaged devices.
Select Block access, and then select Save.
Important
Selecting this option disables any previous conditional access policies you created from this page, and creates a new conditional access policy that applies to all users. Any customizations you made to previous policies will not be carried over.
Note
It can take up to 24 hours for the policy to take effect. It won't take effect for users who are already signed in from unmanaged devices.
Important
If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In Access control in the new SharePoint admin center, select Apps that don't use modern authentication, select Block access, and then select Save.
Limit access
Go to Access control in the new SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Note
If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Active sites page.
Select Unmanaged devices.
(Video) Block or Limit Access to All or Few OneDrive Accounts and Share Point Sites From Unmanaged DevicesSelect Allow limited, web-only access, and then select Save. (Note that selecting this option will disable any previous conditional access policies you created from this page and create a new conditional access policy that applies to all users. Any customizations you made to previous policies will not be carried over.)
If you revert back to Allow Full Access, it could take up to 24 hours for the changes to take effect.
Important
If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In Access control in the new SharePoint admin center, select Apps that don't use modern authentication, select Block access, and then select Save.
Note
If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part. To work around this issue, you can use this SPList API to exempt the block download policy on the site assets library. This allows the web part to download images from the site assets library.
When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Yammer.
Limit access using PowerShell
Download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs, and uninstall "SharePoint Online Management Shell."
Connect to SharePoint as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.
Run the following command:
Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
Note
By default, this policy allows users to view and edit files in their web browser. To change this, see Advanced configurations.
To block or limit access to specific sites, follow these steps. If you have configured the organization-wide policy, the site-level setting you specify must be at least as restrictive as the organization-level setting.
Manually create a policy in the Azure AD admin center by following the steps in Use app-enforced restrictions.
Set the site-level setting by using PowerShell, or a sensitivity label:
To use PowerShell, continue to the next step.
To use a sensitivity label, see the following instructions and specify the label setting for Access from unmanaged devices: Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites.
To use PowerShell: Download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."
Connect to SharePoint as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.
Run one of the following commands.
To block access to a single site:
Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy BlockAccessTo limit access to a single site:
Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccessTo update multiple sites at once, use the following command as an example:
See AlsoConfigure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft EntraDevice features and settings in Microsoft IntuneGet-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Set-SPOSite -ConditionalAccessPolicy AllowLimitedAccessThis example gets the OneDrive for every user and passes it as an array to Set-SPOSite to limit access.
Note
By default, a setting that includes web access allows users to view and edit files in their web browser. To change this, see Advanced configurations.
Advanced configurations
The following parameters can be used with -ConditionalAccessPolicy AllowLimitedAccess for both the organization-wide setting and the site-level setting:
-AllowEditing $false Prevents users from editing Office files in the browser.
-ReadOnlyForUnmanagedDevices $true Makes the entire site read-only for impacted users.
-LimitedAccessFileType OfficeOnlineFilesOnly Allows users to preview only Office files in the browser. This option increases security but may be a barrier to user productivity.
-LimitedAccessFileType WebPreviewableFiles (default) Allows users to preview Office files in the browser. This option optimizes for user productivity but offers less security for files that aren't Office files. Warning: This option is known to cause problems with PDF and image file types because they can be required to be downloaded to the end user's machine to render in the browser. Plan the use of this control carefully. Otherwise, your users could be faced with unexpected "Access Denied" errors.
-LimitedAccessFileType OtherFiles Allows users to download files that can't be previewed, such as .zip and .exe. This option offers less security.
The AllowDownlownloadingNonWebViewableFiles parameter has been discontinued. Please use LimitedAccessFileType instead.
People outside the organization will be affected when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific people (who must enter a verification code sent to their email address), you can exempt them from this policy by running the following command.
Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $falseNote
"Anyone" links (shareable links that don't require sign-in) are not affected by these policies. People who have an "Anyone" link to a file or folder will be able to download the item. For all sites where you enable conditional access policies, you should disable "Anyone" links.
App impact
Blocking access and blocking download may impact the user experience in some apps, including some Office apps. We recommend that you turn on the policy for some users and test the experience with the apps used in your organization. In Office, make sure to check the behavior in Power Apps and Power Automate when your policy is on.
Note
Apps that run in "app-only" mode in the service, like antivirus apps and search crawlers, are exempted from the policy.
If you're using classic SharePoint site templates, site images may not render correctly. This is because the policy prevents the original image files from being downloaded to the browser.
For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure. But you can change the behavior by running set-spotenant -DisableCustomAppAuthentication $false (needs the latest SharePoint admin PowerShell).
Need more help?
See also
Policy recommendations for securing SharePoint sites and files
Control access to SharePoint and OneDrive data based on defined network locations
FAQs
How do I fix SharePoint Access Denied? ›
- On your site, select Settings > Site Settings > Site permissions.
- In the top ribbon, select Check Permissions.
- In the User/Group field, enter the user's name, and then select Check Now.
- Open the SharePoint Admin Center.
- Expand Policies > Access Policies.
- In the Unmanaged Devices section, select Block Access and select Save.
- Open the Azure Active Directory portal and navigate to Conditional Access Policies. ...
- Update the policy to target only specific users or a group.
- In the SharePoint admin center, select Sites > Active sites or browse to the Active sites page.
- In the left column, select a site.
- Select Permissions.
- Select Manage for the permissions that you want to update.
- Add or remove people or change their role, and then select Save.
An administrator can use the SharePoint Online Admin Center to transfer ownership of a OneDrive or control user access to OneDrive, as follows: Open the “more features” page in the SharePoint Admin Center and sign in with an account that has admin permissions. Under User Profiles, select Open.
How do I resolve no access permissions to OneDrive? ›- In File Explorer, right-click the file which has the sync issue and select Properties.
- Select the Security tab.
- Select your name from the Groups or user names list and ensure that "Read" and "Write" are both checked in the Allow column.
The “Access Denied” error appears when your browser uses different proxy settings or VPN instead of what's really set on your Windows 10 PC. Thus, when a website detects that there is something wrong with your browser cookies or your network, it blocks you and this is why you can't open it.
Why am I getting access denied you don't have permission to access? ›A “you don't have permission to access on this server” error usually appears when your browser uses different proxy settings than your computer, which can happen when you're using a proxy or a VPN tool. The site might block access due to a corrupted cache in your browser or a server-related issue.
Why can't I access my SharePoint site? ›Make sure that the SharePoint Online domain is configured from the Microsoft 365 portal Domain management page. The SharePoint Online site should be accessed by using the address that is specified in Your SharePoint website address is. Click Change Address if the SharePoint website address is not set to your domain.
Who can manage permissions in SharePoint? ›Manage invitations to external users
Important: Only site collection administrators, SharePoint administrators in Microsoft 365, and members of the site's default Owners group have permission to use the Access Requests page.
Employees should have permissions to access only those resources that they need to perform their jobs. For example, application developers need to access only the stacks that run their applications. Employees should have permissions to use only those actions that they need to perform their jobs.
Is there a limit for SharePoint users? ›
A user can belong to 5,000 groups per site (site collection), and each group can have up to 5,000 users.
Does SharePoint admin have access to all sites? ›Global Administrators and SharePoint Administrators don't have automatic access to all sites and each user's OneDrive, but they can give themselves access to any site or OneDrive. They can also use Microsoft PowerShell to manage SharePoint and OneDrive.
What are the roles and responsibilities of SharePoint administrator? ›Sharepoint Administrators are responsible for providing support and management of the Sharepoint platform to companies. They are responsible for managing sites and accounts, including site configuration, custom features deployment, bandwidth monitoring, managing space, and maintaining backups.
Who can access Microsoft 365 admin center? ›By default, the person who signs up for and buys an Microsoft 365 for business subscription gets admin permissions. That person can assign admin permissions to other people to help them manage Microsoft 365 for their organization.
Can Microsoft admin see my OneDrive files? ›Items that you store in your personal OneDrive are private and no one will have the access to its content unless you share the file. Your work or school account admin cannot see files in your personal OneDrive.
Can Office 365 admin access user OneDrive? ›1. Go to the Microsoft 365 admin center as Global Admin. 4.It will auto generat a OneDrive link, click on this link. Then, you can access this user's OneDrive.
Can administrators see my files in my OneDrive for business? ›Theoretically, anything stored on OneDrive for Business can be accessed via Microsoft 365 global admin. Such as at the time, when an employee leaves your organization, the manager probably wants to access the data and either review it, back it up, or give it to a new employee.
How do I give someone access to OneDrive to another administrator? ›Right-click the user, and then choose Manage site collection owners. Add the user to Site collection administrators and select OK. The user will now be able to access the former employee's OneDrive using the OneDrive URL.
How do I manage permissions on OneDrive? ›- Right click on the file that you wish to edit.
- From the drop-down menu. Click on “Manage Access”. This will open the Manage Access pane on the right-hand side of your screen.
- Click the arrow icon next to individual names to change that person's permission settings or stop sharing privileges for them.
- Select Shared.
- Select a folder or file, and then select the Information icon.
- Do one of the following: Select Add People to share with more people. Select Manage access to change permissions. Select the Can Edit or Can View dropdown to change permissions or Stop Sharing.
How do I fix accessible access is not denied? ›
Right-click the file or folder, and then click "Properties" > "Security" tab. 2. Under "Group or user names", click your name to see the permissions that you have. To access a file or folder, you have to have the "Read" permission.
How do I fix Access Denied administrator? ›Folder Access Denied as Admin
Identify the folder and right-click on it. From the menu, tap “Properties” to open a new screen. Navigate to “Security,” then select the admin account. Check the “Permissions” section to ensure that all permissions have been granted.
idiom. : to give/refuse permission to see. He was granted/denied access to the report.
How do you fix Access Denied as you do not have sufficient privileges you have to invoke this utility running in elevated mode? ›- Run Command Prompt as an administrator. ...
- Repair your PC's registry. ...
- Run the CHKDSK command. ...
- Take ownership of the drive partition. ...
- Change the current user to an administrator account.
- Open your SharePoint site settings → Click “Site Permissions”.
- Click “Check Permissions” → Enter the username of the user whose permissions you want to check -> Click “Check Now”.
- Review the results:
...
Pros
- Easy and intuitive. ...
- Easily open documents, spreadsheets and more in Microsoft online which is so convenient.
On the permissions page for the list, on the Edit tab, click Grant Permissions. Type the name of the group or the individual you want to grant access to in the Users/Groups box. Choose the level of permissions you want the group or individuals to have. Click OK.
What are the 3 permission groups available in SharePoint? ›...
Communication sites aren't connected to Microsoft 365 groups and use the standard SharePoint permissions groups:
- Owners.
- Members.
- Visitors.
Currently, there are four primary types of access control models: mandatory access control (MAC), role-based access control (RBAC), discretionary access control (DAC), and rule-based access control (RBAC).
What are four basic permissions? ›There are four categories (system, owner, group, and world) and four types of access permissions (Read, Write, Execute and Delete).
What are five ways to optimize user access and control? ›
- Use the Principle of Least Privilege.
- Limit or Eliminate Super-User Access Privileges.
- Plan Privileges Ahead of Time.
- Use a Password Manager.
- Review Privileged User Access.
OneDrive provides a consistent, intuitive files experience across all your devices, including web, mobile, and the desktop of your Windows PC or Mac. Behind the scenes, SharePoint in Microsoft 365 provides the content services for all files in Microsoft 365, including files you work with in Teams, Yammer, and Outlook.
How many default permission levels are there in SharePoint? ›Default permission levels
SharePoint Server includes seven permission levels.
- Avoid Putting All the Files in One Library. The easiest way to avoid hitting the 5,000 item limit threshold is to not put all your files in one library. ...
- Set up Subfolders. ...
- Create Metadata. ...
- Index the Columns. ...
- Create Different Views.
- SolarWinds Server & Application Monitor (FREE TRIAL) ...
- ManageEngine SharePoint Manager Plus (FREE TRIAL) ...
- PRTG Network Monitor (FREE TRIAL) ...
- SPDocKit. ...
- GSX (GSX Monitor & Analyzer) ...
- eG Enterprise. ...
- Metalogix Diagnostic Manager.
SharePoint Administrator Requirements:
Extensive knowledge of Windows operating systems, as well as SQL Server, Power BI, PowerShell, and Office 365. Knowledge of SharePoint tools, including ULS Logs, workflows, and SharePoint forms for tasks. Superb collaboration, interpersonal, and communication skills.
They can both manage permission levels on other users or objects, with a different level. The site collection admin can handle all the sites and subsites in that site collection, while the site owner is only in charge of that specific site.
What responsibilities should an administrator be responsible for? ›- Preparing, organising and storing information in paper and digital form.
- Dealing with queries on the phone and by email.
- Greeting visitors at reception.
- Managing diaries, scheduling meetings and booking rooms.
- Arranging travel and accommodation.
Resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can't delete a global admin, create other admin roles, or reset passwords for global, billing, Exchange, SharePoint, Compliance, and Skype for Business admins.
What are the roles and responsibilities of an administrator? ›An Administrator provides office support to either an individual or team and is vital for the smooth-running of a business. Their duties may include fielding telephone calls, receiving and directing visitors, word processing, creating spreadsheets and presentations, and filing.
How do I access another user's Office 365 admin? ›
- In the EAC, navigate to Recipients > Mailboxes.
- In the list of mailboxes, select the mailbox that you want to assign permissions for, and then select Edit .
- Go to: SharePoint Admin Center >> Click on “User profiles” from the left navigation.
- Click on Manage User Profiles >> Find the user >> Click on the user's context menu.
- Manage personal site collection owners >> Change the site collection owner.
- In the SharePoint admin center, under Sites, select Active sites.
- Select the site that you want to configure.
- On the Policies tab, under External sharing select Edit.
- Under Advanced settings for external sharing, select the Limit sharing by domain.
- Add the domains that you want to allow or block, and then select Save.
Open OneDrive settings (select the OneDrive cloud icon in your notification area, and then select the OneDrive Help and Settings icon then Settings.) Go to the Account tab. Under Personal Vault, select the lock wait time.
How do I assign permissions to OneDrive? ›- Select Shared.
- Select a folder or file, and then select the Information icon.
- Do one of the following: Select Add People to share with more people. Select Manage access to change permissions. Select the Can Edit or Can View dropdown to change permissions or Stop Sharing.
Windows 10 comes with the OneDrive app preinstalled and ready to go. However, you might consider disabling the app for various reasons, including preventing constant file syncs, cleaning up the Windows file explorer or protecting your data from certain types of cybercrime.
Can anyone else access your OneDrive? ›The files on your OneDrive are private until you share them. Keep in mind that when you share folders with Edit permissions, people you share with can add the shared folders to their own OneDrive.
How do you prevent users and guests from accessing Microsoft OneDrive and Microsoft SharePoint content on devices outside of specific domains? ›Go to Access control in the SharePoint admin center, and sign in with an account that has admin permissions for your organization. Select Limit OneDrive access. Select Limit OneDrive access to only users in specified security groups. Add the security groups you want to be able to use OneDrive.
How to share SharePoint site with external users without Microsoft account? ›Create a link accessible to anyone who receives it
If you want anyone who receives the sharing link to be able to access the content, select Anyone with the link option in Link settings. The recipients won't need a Microsoft account and can access the content without having to enter a passcode or sign in.
In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies > Policies section > Safe Attachments, select Global settings, and verify the value of the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams setting.
Can you turn off OneDrive in Office 365? ›
Go to PC Settings, using the PC Settings tile in the Start menu, or swipe in from the right edge of the screen, select Settings, and then select Change PC settings. Under PC settings, select OneDrive. On the File Storage tab, turn off the switch at Save documents to OneDrive by default.
What are the different permission levels in OneDrive? ›When you share a document through OneDrive, the two common ways to share it are as View or Edit. View lets the recipient just view the contents without making any changes to it. Edit lets them make changes to the content in the same ways that you can as the owner.
What is the easiest way to assign permissions in SharePoint? ›On the permissions page for the list, on the Edit tab, click Grant Permissions. Type the name of the group or the individual you want to grant access to in the Users/Groups box. Choose the level of permissions you want the group or individuals to have. Click OK.
What is the difference between direct access and sharing in OneDrive? ›Direct Access belongs to people who has original permission to access the file, while Links Giving Access belongs to people who need a sharing link to access the file.
Can permission setting be performed directly within OneDrive? ›Set the OneDrive for Business library to inherit the permission settings from the personal site. You can also set it to have the unique permissions. 3. Click Settings>Site settings>Site permissions>Permission Levels>Read>Copy Permission Level.