This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 15%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Inside SharePoint Admin center >> Access Control, we can define limit-access to unmnaged devices:-
but for a tenant i am working on, we want to do it in another way, instead of relying on the device if it is managed or unmanaged, to control this based if the user is internal or external. so can we do this? now inside this documentation, IT Admins - SharePoint and OneDrive unmanaged device access controls - SharePoint in Microsoft 365 | Microsoft Learn , they mentioned that we can restrict this based on user group:-
so this means if we automatically add any external users to a group , then we can define this group to only have limited-access will this work? so internal users even if they access from unmnaged devices will have full access since they are not inside the group?? i am not an administrator but rather a SharePoint developer. so if any one can help me achieving this inside AD if it is not possible inside SharePoint? first how we can automatically add any external users to a group , then how we can define this group to have limited-access??
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 51%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
You could set conditional access policy to make external users limit access.
Require one of following licenses:
Microsoft Syntex - SharePoint Advanced Management
Microsoft 365 E5/A5/G5
Microsoft 365 E5/A5/G5/F5 Compliance
Microsoft 365 E5/F5 Information Protection and Governance
Office 365 E5/A5/G5
Steps:
1.Go to Microsoft Entra admin center -> Protection -> Conditional Access -> New policy.
2.Users and Groups -> Under Assignments, select Users section -> Choose Include -> Select users and groups, then select Guest or external users.
3.Cloud Apps -> Under Assignments, select Target resources section-> Choose Include -> All cloud apps.
4.Conditions -> Under Assignments, select Conditions -> Client apps -> Configure set Yes -> Only select browser.
5.Configure Access Controls -> Under Assignments, select Access controls, then select Grant -> Choose Grant access.
6.Enable the Policy -> Set the policy to On -> Click Create to activate the policy.
Reference:
https://learn.microsoft.com/en-us/entra/architecture/7-secure-access-conditional-access
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the reply, but i can not follow your steps, here what i get:-
i can not see "Security -> Conditional Access -> New policy".. any advice?
also i am planning to set Limited-Access for external users, and not Require multifactor authentication, as mentioned in your steps.. thanks
First, you need to go to Protection section, find Conditional Access.
And I update the answer according to your requirement.
