I've been trying to manage access to M365 from unmanaged devices, especially focusing on allowing browser-only access while blocking downloads for platforms like SharePoint, OneDrive, and Office web apps. Setting this up was straightforward using SharePoint's unmanaged device controls combined with conditional access. However, I ran into issues with Power BI. Once I enforced web-only access without downloads on SharePoint, scheduled refreshes that rely on SharePoint data started failing, showing 'invalid credentials' even though authentication was successful. I'm looking to avoid creating exceptions for users or service accounts or redesigning my data sources to circumvent this issue. So, how is everyone handling this situation? Do you accept the limitations, move data sources off SharePoint, or live with the necessary exceptions? This seems like a common challenge, but the exact controls don't seem to fit together seamlessly. Your insights would be much appreciated!
3 Answers
I think service accounts should be kept separate from these issues and equipped with additional protections and monitoring. It might be worth looking into using app registrations in Entra with keys where possible to prevent any vulnerabilities.
Creating a standard operating procedure for service accounts and exceptions might be a good way to handle this. It sets clear rules and can help streamline the process whenever issues arise. Sometimes it’s just about having that documented guidance in place.
What I've done is run Power Automate flows through a service account that's exempt from the conditional access rules. If security is a concern, you can also restrict it to trusted IP addresses. Just keep in mind that using service accounts might require extra licenses, but a cheaper F3 license could be a reasonable investment for securing operations.
I attempted to set trusted IP exclusions, but found the authentication tied to the initial setup IP. We’re currently using split tunneling for M365 to minimize VPN throttling. It’s definitely a juggling act!