In today’s digital-first business environment, protecting sensitive data is not optional—it’s mission-critical. SharePoint and OneDrive for Business, essential components of Microsoft 365, are widely used for storing and collaborating on confidential documents. But when accessed from unmanaged or non-compliant devices, these platforms can become prime targets for cyberattacks.
To defend against data breaches, organizations must enforce robust access controls. This guide walks you through how to secure your Microsoft 365 environment using Microsoft Entra ID Conditional Access and SharePoint Admin Center.
💻 What Are Unmanaged Devices in Microsoft Entra ID?
Unmanaged devices are endpoints that fall outside your organization’s control—either:
- Not compliant with Microsoft Intune policies
- Not Hybrid Azure AD-joined
These devices may lack encryption, run outdated software, or be vulnerable to malware—making them high-risk entry points for:
- Credential theft
- Data leaks
- Malware infections
🚫 How to Block Unmanaged Devices from Accessing SharePoint and OneDrive
Microsoft Azure AD Conditional Access (CA) policies allow administrators to block unmanaged devices effectively. Follow these steps to implement a CA policy that restricts unauthorized access:
🛡 Step 1: Create a Conditional Access Policy
- Access the Azure AD Admin Center and navigate to the Conditional Access policy section.
- Click on ‘New Policy’ to create a new access control policy.
- Assign a policy name that reflects its purpose.
- Under ‘Users or workload identities’, select the appropriate users or groups.
- Navigate to ‘Cloud apps or actions’, select ‘Include’, then search and choose ‘Office 365 SharePoint Online’.
Step 2: Set Up Conditional Access Conditions
- Click ‘Conditions’ and choose ‘Client apps’.
- Enable the configure toggle, then uncheck ‘Legacy authentication clients’ and ‘browser’ options under modern authentication clients.
- Click ‘Done’ to save changes.
Step 3: Grant Access Controls
- Under ‘Grant’ access control, select ‘Grant access’ and check the following options:
- Require device to be marked as compliant
- Require Hybrid Azure AD-joined device
- Choose ‘Require one of the selected controls’ for multiple control enforcement.
- Click ‘Select’, enable the policy, and click ‘Create’.
Once the policy is enabled, unmanaged devices will no longer be able to access SharePoint and OneDrive.
🔄 Alternative Approach: SharePoint Admin Center (No Premium License)
Don’t have Entra ID Premium P1/P2? You can still restrict access using the SharePoint Admin Center:
- Navigate to SharePoint Admin Center > Policies > Access Control > Unmanaged Devices
- Choose:
- Block access, or
- Allow limited, web-only access
- Save the configuration
🧰 Block Device Registration via Entra ID Settings
To prevent users from registering unmanaged devices:
- Navigate to Microsoft Entra Admin Center > Devices > Device Settings.
- Configure Users may register their devices with Azure AD to None (or specific roles only).
⚠️ Important Considerations Before Enforcement
- Always exclude break-glass accounts (emergency admin accounts) from CA policies to prevent lockouts.
- Microsoft Teams, Delve, and other services rely on SharePoint/OneDrive—blocking access may affect functionality.
- Force sign-out via the Microsoft 365 Admin Center to apply policies immediately.
- Hybrid Join vs Azure AD Join: Ensure devices are joined appropriately to retain access
🔄 Enable Domain-Based Sync Restrictions (No P1/P2 License)
If you don’t have access to Conditional Access:
- Open PowerShell and use Get-ADDomain to get your domain GUID.
- Go to SharePoint Admin Center > Settings > OneDrive Sync.
- Enable “Allow syncing only on computers joined to specific domains.”
- Enter the domain GUID(s) and Save.
🚫 Note: This applies only to traditional Active Directory (not Azure AD-joined devices).
✅ Key Takeaways
Securing access to SharePoint and OneDrive is essential for protecting sensitive business data in today’s hybrid work landscape. By using Microsoft Entra Conditional Access, SharePoint Admin Center, and sync restrictions, you can:
- Enforce compliant device access
- Prevent unauthorized data exposure
- Ensure regulatory compliance
- Mitigate cyber risk across your digital estate
📊 Don’t forget to regularly audit access logs, review policy effectiveness, and educate users on secure device practices.
❓ FAQs
1. Why block unmanaged devices from SharePoint and OneDrive?
To reduce the risk of unauthorized data access and leakage from devices not controlled or secured by your organization.
2. Do I need a premium license to use Conditional Access?
Yes, Conditional Access requires Microsoft Entra ID Premium P1 or P2. Alternatives exist via the SharePoint Admin Center for basic device access control.
3. What happens to existing sessions after policy enforcement?
They remain active unless you force sign-outs through the Microsoft 365 Admin Center.
4. Can I allow specific domains for sync if I don’t have P1/P2?
Yes. Use the domain GUID method in the SharePoint Admin Center to allow only approved AD-joined domains for sync.
5. Will this affect Microsoft Teams or other services?
Yes. Teams relies on SharePoint/OneDrive for file sharing. Blocking access here can restrict some Teams functionalities.
📢 Ready to Strengthen Your Microsoft Cloud Security?
If you found this guide valuable, explore more of our Microsoft 365 security best practices on our blog and subscribe to our newsletter for actionable insights, how-to guides, and expert tips delivered directly to your inbox.
2 comments on “Prohibit Unmanaged Devices from Accessing SharePoint and OneDrive Data (2025)”