Share via

Need the advice for SharePoint access control

Browning 100 Reputation points
2026-05-29T03:55:01.85+00:00

I’m troubleshooting a policy interaction issue between SharePoint Online app-enforced restrictions and Microsoft Teams. We configured Conditional Access + SPO controls to block unmanaged devices and enforce browser-only access for OneDrive/SharePoint workloads. After rollout, users started reporting intermittent Teams desktop authentication failures and issues loading the Files tab within chats/channels.

Given that Teams relies on SPO/OneDrive services for file-backed workloads, I’m trying to understand whether this is an expected side effect of app-enforced restrictions impacting Teams token flows/session handling on unmanaged devices, or if there’s a known limitation requiring additional exclusions or CA policy adjustments.

Microsoft 365 and Office | SharePoint | Development
0 comments

Answer accepted by question author

Teddie-D 16,370 Reputation points Microsoft External Staff Moderator
2026-05-29T05:51:57.2133333+00:00

Hi Browning

Please note that we're not Microsoft support, this is a user-to-user support forum. Moderators here don’t have backend access to Microsoft systems, so we can only provide technical guidance based on the public resources and community experiences.

When Conditional Access app-enforced restrictions are configured for SharePoint Online or OneDrive, the behavior you described can occur.

Microsoft Teams depends on SharePoint Online and OneDrive for file-backed workloads such as the Files tab in chats and channels, file sharing, previews, and document access. Because of this dependency, restrictions applied to SharePoint/OneDrive can also impact Teams file experiences.

Files tab loading issues in Teams can occur when access to SharePoint/OneDrive is restricted from unmanaged devices.

Intermittent authentication prompts in the Teams desktop client may also be observed. While not consistent across all environments, they can happen because the Teams client makes background requests to SharePoint/OneDrive services, and those requests are evaluated against the same Conditional Access policies.

Additionally, app-enforced restrictions are designed to provide a limited, browser-based experience and may not fully align with desktop client scenarios, which can lead to inconsistent behavior in applications like Teams.

Recommended next steps:

  • Review Microsoft Entra sign-in logs for affected users, including both Microsoft Teams and Office 365 SharePoint Online
  • Confirm whether the Conditional Access policy targets only SharePoint Online or broader scopes such as Office 365 / All cloud apps
  • Compare behavior between Teams desktop and Teams on the web to determine whether the issue is specific to the desktop client

You can read more at:  

I hope this information is helpful. 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Taz 9,286 Reputation points MVP Volunteer Moderator
    2026-05-29T05:54:46.69+00:00

    Hi Browning,

    Yes — this is expected behavior, not a bug. When you enforce app-enforced restrictions (block/limited access for unmanaged devices) on the SharePoint Online workload in Conditional Access, it impacts Teams because Teams uses SPO tokens for the Files tab, file previews, and OneDrive-backed storage. The Teams desktop client makes silent token calls to SPO, and those get caught by the unmanaged device restriction, causing the auth failures and Files tab issues you're seeing.

    What's happening: Teams desktop on unmanaged devices acquires a token for SPO, SPO evaluates the session against your app-enforced restriction policy, and either blocks or downgrades it — but Teams desktop can't gracefully handle the "browser-only" fallback the way a browser can.

    Fix options:

    1. Separate CA policy for Teams: Target the "Microsoft Teams" cloud app with device-compliance requirements independently, rather than relying solely on SPO app-enforced restrictions to cascade.
    2. Exclude Teams from SPO app-enforced restrictions: In SharePoint Admin Center → Access Control → Unmanaged Devices, note this applies globally. If you need granular control, use CA policies with session controls scoped specifically (not the SPO admin toggle).
    3. Use Conditional Access App Control (Defender for Cloud Apps) instead of app-enforced restrictions — this gives you more granular session policies that can handle the Teams ↔ SPO token interaction more cleanly.

    Regards,

    Taz-Mvp

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.