Authentication Contexts can be used alongside conditional access to help secure specific SharePoint sites that need to adhere to more rigorous security protocols. Sensitivity labels can be used to take this one-step further by applying additional controls which cannot be applied within Conditional Access, such as group privacy settings and external sharing options.
In this tutorial I am going to show you how to create a new Authentication Context and apply that to a SharePoint or Teams site, either directly or via a Sensitivity Label. I will then show you how to target this Authentication Context with Conditional Access.
Page Contents
- Licensing requirements
- Create a new authentication context
- Create a sensitivity label with the authentication context
- Apply the sensitivity label to a SharePoint site
- Apply an authentication context directly to a SharePoint site
- Create a conditional access policy to target the authentication context
- Test access to the SharePoint site
Licensing requirements
To be enabled to apply an Authentication Context to a SharePoint site or Labels to a SharePoint site, a Microsoft 365 E5 license is required.
There are also some limitations and core things you should know about using Authentication Contexts to secure specific sites:
- If you apply an Authentication context to a core ‘Teams enabled’ site. If you create a Private channel under that site, a SharePoint site for the private channel will fail to provision.
- If you try and renamed a folder within Teams for a site with an Authentication context applied, the renaming operation will fail.
- You will not be able to sync SharePoint sites with an Authentication Context applied with the OneDrive client.
- If you try to copy files from a SharePoint site without an Authentication Context applied, to a site with an Authentication Context applied, it will fail.
Create a new authentication context
We are going to begin by creating a new authentication context in Conditional Access. Authentication Contexts are designed to provide additional security to data within applications such as SharePoint or other ‘line of business’ applications that are protected by Defender for Cloud Apps. In my example, our authentication context will be targetted with a conditional access policy to enforce additional security, including a block downloads policy in Defender for Cloud Apps and Authentication Strengths.
Since our conditional access policy is targeting our authentication context, we will also need to link our authentication context with our application or SharePoint site. This can be done in more than one way, which I will go through in the next couple of steps. The first is that we can configure a Sensitivity Label with our Conditional Access Authentication Context, where additional settings can also be applied within that label, or the Authentication Context can be directly assigned to the SharePoint site.
To create a new Authentication Context, follow the below steps:
1. Login to Microsoft Entra at https://entra.microsoft.com
2. Expand Azure Active Directory, then Protect & secure and select Conditional Access.
3. Select Authentication context then New authentication context.
3. Choose a meaningful name for your Authentication context, check the Publish to apps check box so the authentication context is available to use and click Save.
Your new authentication context will now be visible from the Authentication contact tab and will also be available to assign to applications and SharePoint sites.
Create a sensitivity label with the authentication context
If you do not want to use Sensitivity Labels to assign your new Authentication context to a site, you can skip this step, otherwise, continue reading. Using a Sensitivity Label enables you to include additional protection on your site based on the settings you choose in your label. For example, you can include your authentication context in your label, as well as control your external sharing settings for the site with a Sensitivity label.
To create a new Sensitivity Label, follow the below steps:
2. Under the Solutions menu heading, select Information protection.
3. Select the Labels tab, then Create a label.
4. Complete the name and description of your sensitivity label, ensuring it is meaningful and others can understand the purpose of it, at a glance. Then click Next.
5. For the purpose of this tutorial, I am only going to select Groups & sites. However, if you plan on making this label available for users to assign to items and other resources, enable them appropriately.
6. Click Next until you reach the Groups & sites page and check the box next to External sharing and Conditional Access settings.
7. On the external sharing and conditional access settings page, I am going to make the most of the external sharing options for this Sensitivity label also. Below I have checked the box to control external sharing from labelled SharePoint sites and set it to Only people in your organisation.
I have also checked the box next to Use Azure AD Conditional Access to protect the labelled SharePoint sites and selected the Authentication Context I created earlier.
8. Click Next until you reach the final page and select Create label.
9. Once the label is created you will need to publish it to your apps so it can be assigned. From the Information protection page, select the Label policies tab, then Publish label.
10. Select your new label and click Next.
11. Leave the Publish to users and groups setting as default and click Next. The default setting should be On for all users and groups.
12. Click Next, leaving each page as the default settings until you reach the Name your policy page, enter a meaningful name for your policy and click Next, then Submit.
Please Read: It can take up to 24 hours for your new label to visible for you to assign to your site.
Apply the sensitivity label to a SharePoint site
Once you have created your desired label, you must apply it to your site (document library) for the settings to take effect.
1. Start by accessing your site through your web browser. The format of your URL will likely be: be: https://*defaultdomain*.sharepoint.com/sites/*yoursite*
2. Select the settings cog at the top right of the page, then select Site information.
3. You can now set the Sensitivity label on your site and click Save.
Apply an authentication context directly to a SharePoint site
If you decide you do not want to use a sensitivity label, you can also assign your Authentication context directly to your site using the SharePoint Online PowerShell module.
Start by installing the SharePoint Online with the following command:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell `
-Scope CurrentUser -Force
You can then use the Connect-SPOService cmdlet to connect to SharePoint online. You must also define your root SharePoint url. You can get your root url from the SharePoint admin center, it will be the core site under the Active Sites list. Otherwise you can copy the admin center url and remove -admin which is appended onto the domain.
Connect-SPOService -url https://*yourdomain*.sharepoint.com/
Assign your Authentication context to your site with the Set-sposite cmdlet, make sure when you enter your site path you use the full path to the specific site you wish to modify, this is usually your root url, followed my /sites/*sitename*. The below command will provide the template for your to assign your authentication context to your targer site.
Set-sposite -Identity https://*yourdomain*.sharepoint.com/sites/testsite `
-ConditionalAccessPolicy AuthenticationContext `
-AuthenticationContextName "Strong Authentication"
To check the settings have applied correctly to your site, you can use the Get-sposite cmdlet. Use the below example to view the Conditional Access and Authentication Context settings for your site.
Get-Sposite -identity https://x7kxf.sharepoint.com/sites/testsite | `
select Con*, auth*
Create a conditional access policy to target the authentication context
The Conditional Access policy will determine which additional security measure will be enforced when accessing each SharePoint site linked to an Authentication context.
To create a new Conditional Access policy to target your Authentication Context, follow the below steps.
1. Log in to the Azure Active Directory admin center and select Azure Active Directory, then Security.
2. Select Conditional Access under the Protect heading in the menu.
3. On the Policies tab, select New policy to create a new Conditional Access policy.
4. Define a meaningful name for your policy and select which users it will assign to. I have selected All users.
5. On the Cloud apps or actions tab, select Authentication context from the dropdown list and check the Authentication context you want this Conditional access policy to apply.
6. Now select the access controls which you want to enforce on your site. These will be specific to your requirements but can be as strong or relaxed as necessary. For my policy, I have decided to enforce Strong authentication with the Authenticator App as well as the Block downloads policy in Conditional Access App Control.
If you want to learn more about how to configure the Block downloads policy, or a custom Cloud Apps security policy, read my tutorial: How to block external users from downloading files from Teams. Some other tutorials which will be extremely helpful for you to setup your conditional access policy are:
Test access to the SharePoint site
Once everything is set up and your Conditional Access is enforced, the additional security will be immediately applied to your SharePoint site. In the case of my example, I have enforced Strong MFA and the Block Download MCAS policy.
If this is the first time a user has setup MFA they will be prompted with the following screen to enrol with the Microsoft Authenticator app.
Once complete, they will be taken to the site where the monitored access prompt from Microsoft Cloud App Security will appear.
However, if your user is not using the Microsoft Authenticator app or another secure MFA method, they will be restricted access to the specific sites.
If you have applied the Sensitivity Label or Authentication Context directly to a Teams site, you will get the same experience when trying to access the site through the Files tab within the Teams desktop client or web app.