Conditional Access for sensitive information

Every organization have some extra sensitive information that requires more caution from its users. Common examples that emphasize sensitivity can be for example extra authentication or terms of use approval before they get access to the information. It’s all about raising awareness to reduce the risk of accidental information leaks!

Microsoft has now started a preview of a solution that can assist with this.

In Conditional Access we can now configure conditions for accessing certain SharePoint Sites/Teams based on the sensitivity label of these sites.

In the example below the user can access Public, Business and Confidential sites but to get access to information stored in classified Secret sites, we require MFA.

CA to sensitive information

It works the same in Microsoft Teams where Multifactor authentication is triggered when you access the team sites files:

CA to sensitive information Teams

If we need to raise awareness with more clarity, Terms of Use is a good complement.

CA TOU to sensitive information

The trick is a new feature in Conditional Access called Authentication Context where we can define conditions and then add this context to the site and group setting of a Sensitivity label

Let´s have a look on the configuration

We first create a new authentication context from the new part in Conditional Access. In my example I call this “TOU Secret Inf”


We can then create a Conditional Access Policy for this authentication context:


Then define the conditions we want, in my case MFA and Terms of Use:


We then configure the sensitivity label with this new authentication context that are now available (in preview)


If for some reason you haven’t started classifying your Sites (I’d mainly recommend starting with that), you can use the PowerShell management for SharePoint and use the Set-SPOSite command to define what Conditional Access policy that should be used for the specific site.

This is done in the format:

Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName ”same name as provided in AAD”

You have more information on docs

Good luck Smile

Detta inlägg publicerades i Microsoft Information Protection och märktes . Bokmärk permalänken.


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

Du kommenterar med ditt Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s