Share via

Restrict “Open in Desktop App” for Unmanaged Devices (SharePoint & OneDrive)

Khoa Anh Le 0 Reputation points
2025-06-19T12:07:06.6666667+00:00

Hello everyone,

I’m implementing a company policy that restricts users on unmanaged devices to only open documents (Word, Excel, PowerPoint) via Office for the Web when accessing data on SharePoint Online and OneDrive for Business.

The goal is to prevent users from using the “Open in Desktop App” option, as this allows them to "Save As" content to local storage — which violates our data protection policy.

We are currently licensed with:

  • Microsoft 365 E5 (full)

Microsoft 365 E3 + Microsoft 365 E5 Information Protection & Governance add-on

I’ve already tried combinations of:

Conditional Access policies (targeting unmanaged devices)

Microsoft Defender for Cloud Apps session controls

However, users on personal devices are still able to open files with Office desktop apps.

Has anyone successfully enforced web-only access in a similar scenario? Any insights, workarounds, or best practices would be greatly appreciated.

Thanks in advance!Hello everyone,

I’m implementing a company policy that restricts users on unmanaged devices to only open documents (Word, Excel, PowerPoint) via Office for the Web when accessing data on SharePoint Online and OneDrive for Business.

The goal is to prevent users from using the “Open in Desktop App” option, as this allows them to "Save As" content to local storage — which violates our data protection policy.

We are currently licensed with:

Microsoft 365 E5 (full)

Microsoft 365 E3 + Microsoft 365 E5 Information Protection & Governance add-on

I’ve already tried combinations of:

Conditional Access policies (targeting unmanaged devices)

Microsoft Defender for Cloud Apps session controls

However, users on personal devices are still able to open files with Office desktop apps.

Has anyone successfully enforced web-only access in a similar scenario?
Any insights, workarounds, or best practices would be greatly appreciated.

Thanks in advance!

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. EduardsGrebezs 1,096 Reputation points
    2025-08-22T10:35:47.23+00:00

    Hi,

    1. Conditional Access + MCAS app-enforced restrictions primarily apply to browser sessions. When a user clicks “Open in Desktop App”, the file is opened directly in the local Office client.
    2. Desktop apps authenticate with stored credentials or Modern Auth tokens and are treated as trusted apps. Even if the device is unmanaged, the Office client can access SharePoint/OneDrive if the session token is valid.
    3. Unfortunately, Microsoft doesn’t provide a native toggle that completely disables “Open in Desktop App” for unmanaged devices at the SharePoint/OneDrive level.

    What MCAS can do

    1. Force web-only access for unmanaged devices when using a browser.
    2. Block downloads of files to unmanaged devices.
    3. Monitor and alert when a user accesses SharePoint/OneDrive from an unmanaged device.

    You could block "Open in app" through conditional policy. Here are steps:

    1.Go to Microsoft Entra admin center -> Protection -> Conditional Access -> Create new policy .

    2.In the Users section, select users you want to block.

    3.In the Target resources section:

    User's image

    Conditions:

    User's image

    session:

    User's image

    User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.