| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| SharePoint | Authentication Context Example | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/authentication-context-example.md | description: "Learn about how to use Azure Active Directory conditional access a # Conditional access policies for SharePoint sites -With [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts), you can enforce more stringent access conditions when users access SharePoint sites. You can directly apply an authentication context to a SharePoint site by using the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) PowerShell cmdlet. +With [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts), you can enforce more stringent access conditions when users access SharePoint sites. -In the following example, an authentication context called MFA is attached to the site. --```powershell -Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName "MFA" -``` -Additionally, authentication contexts are used with sensitivity labels to connect [Azure AD conditional access policies](/azure/active-directory/conditional-access/overview) to labeled sites. +You can use authentication contexts to connect an [Azure AD conditional access policy](/azure/active-directory/conditional-access/overview) to a SharePoint site. Policies can be applied directly to the site or via a sensitivity label. Note that this capability can't be applied to the root site in SharePoint (for example, https://contoso.sharepoint.com). -## Requirements +## Requirements and limitations -Some apps do not currently work with authentication contexts. If you have Office apps or third party apps, we recommend testing them on a site with authentication context enabled before broadly deploying this feature. Currently, the following apps and scenarios do *not* work with authentication contexts: +Using authentication context with SharePoint sites requires one of the following licenses: +- Microsoft 365 E5 +- Microsoft 365 E5 Compliance +- Microsoft 365 E5 Information Protection and Governance ++Some apps don't work with authentication contexts. We recommend testing apps on a site with authentication context enabled before broadly deploying this feature. ++The following apps and scenarios don't work with authentication contexts: - Older version of Office apps (see the [list of supported versions](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#more-information-about-the-dependencies-for-the-authentication-context-option)) - Yammer - Teams web app - OneNote app can't be added to channel if the associated SharePoint site has an authentication context-- Teams private channel won't provision a SharePoint if the main team site has an authentication context+- Teams private channel won't provision a SharePoint site if the main team site has an authentication context - Teams channel meeting recording upload fails on sites with an authentication context - SharePoint folder renaming in Teams fails if the site has an authentication context - Teams webinar scheduling fails if OneDrive has an authentication context - Workflows that use Power Apps or Power Automate fails to work for sites with an authentication context - Third-party apps - The OneDrive sync app won't sync sites with an authentication context-- Copy or Move files from Site-A(no policy) to Site-B(with policy) fails--Using authentication context with SharePoint sites requires at least one of the below licenses: -- Microsoft 365 E5-- Microsoft 365 E5 Compliance-- Microsoft 365 E5 Information Protection and Governance-+- Copy or move files from a site with no authentication context to a site with an authentication context fails ## Setting up an authentication context Setting up an authentication context for labeled sites requires these basic step 1. Add an authentication context in Azure Active Directory. -2. Create a conditional access policy that applies to that authentication context and has the conditions and access controls that you want to use. +1. Create a conditional access policy that applies to that authentication context and has the conditions and access controls that you want to use. ++1. Do one of the following: -3. Set a sensitivity label to apply the authentication context to labeled sites. + 1. Set a sensitivity label to apply the authentication context to labeled sites. + 1. Apply the authentication context directly to a site In this article, we'll look at the example of requiring guests to agree to a [terms of use](/azure/active-directory/conditional-access/terms-of-use) before gaining access to a sensitive SharePoint site. You can also use any of the other conditional access conditions and access controls that you might need for your organization. Next, create a conditional access policy that applies to that authentication con To create a conditional access policy 1. In [Azure Active Directory Conditional Access](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade), click **New policy**. -2. Type a name for the policy. +1. Type a name for the policy. -3. On the **Users and groups** tab, choose the **Select users and groups** option, and then select the **All guest and external users** check box. +1. On the **Users and groups** tab, choose the **Select users and groups** option, and then select the **Guest or external users** check box. -4. On the **Cloud apps or actions** tab, under **Select what this policy applies to**, choose **Authentication context**, and select the check box for the authentication context that you created. +1. Choose **B2B collaboration guest users** from the dropdown. ++1. On the **Cloud apps or actions** tab, under **Select what this policy applies to**, choose **Authentication context**, and select the check box for the authentication context that you created.  -5. On the **Grant** tab, select the check box for the terms of use that you want to use, and then click **Select**. +1. On the **Grant** tab, select the check box for the terms of use that you want to use, and then click **Select**. -6. Choose if you want to enable the policy, and then click **Create**. +1. Choose if you want to enable the policy, and then click **Create**. -### Update a sensitivity label +### Set a sensitivity label to apply the authentication context to labeled sites -Next, update a sensitivity label (or create a new one) to use the authentication context. +If you want to use a sensitivity label to apply the authentication context, update a sensitivity label (or create a new one) to use the authentication context. To update a sensitivity label 1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/informationprotection), on the **Information protection** tab, click the label that you want to update and then click **Edit label**. To update a sensitivity label Once the label has been updated, guests accessing a SharePoint site (or the **Files** tab in a team) with that label will be required to agree to the terms of use before gaining access to that site. +### Apply the authentication context directly to a site ++You can directly apply an authentication context to a SharePoint site by using the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) PowerShell cmdlet. ++In the following example, we apply the authentication context we created above to a site called "research." ++```powershell +Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -ConditionalAccessPolicy "Contoso guest terms of use" -AuthenticationContextName "Sensitive information - guest terms of use" +``` + ## See also [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites) |
| SharePoint | Redirect Known Folders | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/redirect-known-folders.md | For these reasons, we recommend moving (redirecting) known folders to OneDrive i We recommend that you upgrade to the latest available build before you deploy. -To check eligibility on existing devices, data volume, and item counts as you decide on a rollout plan, and to later monitor progress of the rollout, use the Known Folder Move PowerShell script. - For information on issues that can prevent folders from being moved, see [Fix problems with folder protection](https://support.office.com/article/d61a7930-a6fb-4b95-b28a-6552e77c3057#BKMK_FixProblems). Note that Known Folder Move doesn't work for users syncing OneDrive files in SharePoint Server. > [!IMPORTANT] The OneDrive Known Folder Move Group Policy objects won't work if you previously - If folders have been redirected to OneDrive using Windows Folder Redirection Group Policy: 1. Disable the Window Folder Redirection Group Policy and make sure to leave the folder and contents on OneDrive.- 2. Enable KFM Group Policy. Known folders remain in OneDrive. + 2. Enable Known Folder Move Group Policy. Known folders remain in OneDrive. - If folders have been redirected to a location on a local PC: 1. Disable the Window Folder Redirection Group Policy and make sure to leave the folder and contents at the redirected location.- 2. Enable KFM Group Policy. Known folders move to OneDrive. + 2. Enable Known Folder Move Group Policy. Known folders move to OneDrive. - If folders have been redirected to a network file share: The OneDrive Known Folder Move Group Policy objects won't work if you previously > If Migration Manager will create the Documents, Pictures, or Desktop folders, ensure that **Preserve file share permissions** is not selected when performing the migration. 2. Disable the Window Folder Redirection Group Policy and make sure to leave the folder and contents on the network file share.- 3. Enable KFM Group Policy. Known folders move to OneDrive and will merge with the existing Desktop, Documents, and Pictures folders, which contain all the file share content that you moved in the first step. + 3. Enable Known Folder Move Group Policy. Known folders move to OneDrive and will merge with the existing Desktop, Documents, and Pictures folders, which contain all the file share content that you moved in the first step. |