Conditional Access (CA) in SharePoint Online is a security feature that allows administrators to enforce access control policies based on user location, device compliance, MFA status, and risk-based factors. Using PnP PowerShell, we can configure Conditional Access policies to restrict access to SharePoint Online based on specific security conditions.
This guide will walk you through the step-by-step process of configuring Conditional Access for SharePoint Online using PnP PowerShell.
Step 1: Install & Update PnP PowerShell
Ensure you have PnP PowerShell installed and updated:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
If you already have it installed, update it:
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
To manage Conditional Access policies, connect to SharePoint Online as a Global Administrator or SharePoint Administrator:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
For app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: Check Current Conditional Access Policies
To view existing Conditional Access settings in SharePoint Online, use:
Get-PnPTenant | Select-Object ConditionalAccessPolicy, AllowDownloadingNonWebViewableFiles, AllowEditing
This will display:
✔ ConditionalAccessPolicy → Current policy level
✔ AllowDownloadingNonWebViewableFiles → Restrictions on file downloads
✔ AllowEditing → Edit restrictions based on access conditions
Step 4: Configure Conditional Access Policies
Microsoft provides four levels of Conditional Access settings:
| Policy Level | Description |
|---|---|
AllowFullAccess | No restrictions, full access allowed |
AllowLimitedAccess | Restricts downloading/viewing of some file types |
BlockAccess | Completely blocks access to SharePoint Online |
AuthenticationContext | Uses Azure AD Conditional Access rules |
Option 1: Allow Limited Access
To allow limited access (e.g., restrict downloads for unmanaged devices):
Set-PnPTenant -ConditionalAccessPolicy AllowLimitedAccess
This setting:
✔ Prevents downloading of sensitive files on unmanaged devices
✔ Allows web-based access with view-only permissions
Option 2: Block Access for Untrusted Locations
To block access completely for users from untrusted devices or locations:
Set-PnPTenant -ConditionalAccessPolicy BlockAccess
This setting:
✔ Denies access to SharePoint Online unless the user meets security criteria
✔ Useful for high-security organizations
Option 3: Require Azure AD Conditional Access
If you want to enforce Azure AD Conditional Access rules, use:
Set-PnPTenant -ConditionalAccessPolicy AuthenticationContext
This setting allows fine-grained controls through Azure AD CA policies.
Step 5: Restrict Downloading on Unmanaged Devices
To prevent file downloads on non-compliant (unmanaged) devices:
Set-PnPTenant -AllowDownloadingNonWebViewableFiles $false
This setting:
✔ Blocks downloading of files unless accessed via a managed device
✔ Users can still view files in a web browser
Step 6: Restrict Editing on Unmanaged Devices
To block editing files from non-compliant devices:
Set-PnPTenant -AllowEditing $false
This setting:
✔ Prevents unauthorized edits on unmanaged or personal devices
✔ Users can still view files, but cannot make changes
Step 7: Enforce MFA for SharePoint Online Access
To ensure Multi-Factor Authentication (MFA) is required for all SharePoint Online users:
Set-PnPTenant -RequireMFAForAdmin $true
This setting:
✔ Enhances security by requiring additional authentication
✔ Protects sensitive SharePoint data from unauthorized access
Step 8: Apply Conditional Access to Specific Sites
If you want to apply Conditional Access settings to individual SharePoint sites, use:
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/SecureSite" -ConditionalAccessPolicy AllowLimitedAccess
This restricts file downloads while allowing viewing access.
Step 9: Verify Conditional Access Settings
To confirm the new settings:
Get-PnPTenant | Select-Object ConditionalAccessPolicy, AllowDownloadingNonWebViewableFiles, AllowEditing
Check if the applied policies match the security requirements.
Step 10: Monitor Conditional Access Usage
To track Conditional Access enforcement, generate a report:
$reportPath = "C:\Reports\ConditionalAccessReport.csv"
$policies = Get-PnPTenant | Select-Object ConditionalAccessPolicy, AllowDownloadingNonWebViewableFiles, AllowEditing
$policies | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Conditional Access Policy Report saved at: $reportPath"
This report helps in auditing security configurations across SharePoint Online.
Step 11: Automate Conditional Access Policy Enforcement
To ensure policies remain enforced, schedule this script to run periodically:
if ((Get-PnPTenant).ConditionalAccessPolicy -ne "AllowLimitedAccess") {
Set-PnPTenant -ConditionalAccessPolicy AllowLimitedAccess
Write-Host "Updated Conditional Access Policy to AllowLimitedAccess"
}
This script automatically re-applies the policy if someone changes it.