SPO Access Control Policies - Remove dependency between Global & Site level policies for unmanaged devices
Currently in SharePoint Online we can configure the Global access control policy in the SPO Admin Center for full access, limited (web-only) access, or to block access. This setting applies to all SPO sites in the tenant.
There is also a site level conditional access policy parameter that can be set on each SPO site. For example:
The catch here is sites currently must be as restrictive as the Global Policy. This creates a problem if you want all your sites to have the Global limited access by default (no downloading of files) except for a few approved sites where you set/configure full access.
This uservoice request is to remove the dependency between these two settings to allow granular access control at the site level. Since all new SPO sites apply the Global policy by default, this will keep new SPO and Teams sites restricted when created by default. An Admin could then allow full access if needed at the site level without impacting the entire tenant.
We have discovered that users are able to use the full Teams client to access content stored in SPO that does not respect the Global access control policy configured in the SharePoint admin center. However the same content IS restricted in SPO by the Global policy.
Ideally the Site Level SPO conditional access policy will be able to override the Global policy and take effect both in the Teams client and SPO sites. This would provide the most control and best experience for managing a dynamic growing environment that needs to be kept secure but flexible for external guest access.
Thank you for considering the request and thank you for your vote! Each one counts.. :)