SiteCollection Access Restriction

SharePoint Online (SPO), being a cloud-based service, can be accessed from anywhere across the globe with the help of the internet. Due to the organization policies, specific Site Collections in SPO should be restricted with no access outside the corporate network. In this article, let us see how to restrict the access.

Introduction

The Default SPO admin center provides an option to restrict the access of the complete SPO tenant based on the network/location. Restricting a particular Site collection with the SPO admin center isn’t possible. However, this can be achieved by integrating SPO with Azure Active Directory. The Conditional Access feature of Azure Active Directory premium helps to restrict a particular site based on the device platforms, locations, client apps, and device state.

Configuring Trusted IPs

The organization’s IP should be marked as Trusted IPs in Azure in order to have uninterrupted and easily manageable connection with the Azure and Office365 Services.

SiteCollection Access Restriction 
  • Login to Azure Portal, click on Azure Active Directory in the right pane, and select "Conditional Access" from the Azure Active Directory Blade.

    SiteCollection Access Restriction
  • Click on "Named Locations".

    SiteCollection Access Restriction
  • Click on "Configure MFA trusted IPs".

    SiteCollection Access Restriction

    SiteCollection Access Restriction
  • In Multi-Factor Authentication page, in Trusted IPs, specify the IP address subnets of the organization and/or the IP address subnets which can be trusted by the Azure and Office365 services.
  • Click "Save".

Configuration of Conditional Access

The Azure AD Conditional Access is part of Azure AD Premium P2 License.

SiteCollection Access Restriction 
  • Login to https://portal.azure.com/ and navigate to Azure Active Directory.
  • Select "Conditional Access" from Azure Active Directory blade.

    SiteCollection Access Restriction
  • Select Policies and click on "New Policy".

    SiteCollection Access Restriction

  • Specify the Policy Name & select “Users and Groups”.

    SiteCollection Access Restriction
  • Include\Exclude the users for whom the restrictions should be applied.

    SiteCollection Access Restriction

  • Click on Cloud Apps, select “Select Apps”, and search for “SharePoint Online” in the Application Gallery.
  • Double-click on Office 365 SharePoint Online and click.

    SiteCollection Access Restriction

  • Click "Done".

    SiteCollection Access Restriction

  • Click on Conditions and select Locations.
  • Click "Yes" to configure the location-based access.
  • In the Include tab, select "Any Location".

    SiteCollection Access Restriction
  • In the Exclude tab, select "All Trusted locations".
  • Click "Done".

    SiteCollection Access Restriction

  • Click "Done".

    SiteCollection Access Restriction
  • In Access Control, click "Grant Access".

Note
No changes are required on the option which is selected by default.

SiteCollection Access Restriction 
  • Click on "Session" and select "Use App Enforced Restrictions".

By selecting “Use App Enforced Restrictions”, the configuration settings of subsite collections will work along with the conditional access to manage the Access Controls of individual subsites.

SiteCollection Access Restriction 
  • Select ON in the "Enable Policy" section.
  • Click "Save".

    SiteCollection Access Restriction
  • Once the policy is created, it appears in the "Policies" tab of Conditional Access.

Access Restriction for specific Site

The final step is to update the configuration settings of the subsite for which the access restriction has to be applied.

SiteCollection Access Restriction 
  • Login to SharePoint Online Administrator PowerShell.
  • Run the below command to check the existing configuration settings of the subsite.

Get-SPOSite –Identity <Subsite URL> | fl

“Note that the Conditional Access Policy is set to Allow FullAccess”.

SiteCollection Access Restriction

Run the below command to block access for a particular site using conditional access.

“Set-SPOSite –Identity <Subsite URL> -ConditionalAccessPolicy BlockAccess”