SharePoint & OneDrive · Sharing & External Access
SharePoint Access Control Administration
Responsibility profile, not a standalone Microsoft role. SharePoint Administrators manage these tenant controls, often together with Conditional Access Administrators.
Scope: Organization-wide access control policies
Permissions
- Unmanaged devices - Allow, limit, or block access
- Network location - Configure IP-based access restrictions
- App access - Control third-party app access
- Idle session - Set session timeout policies
- Modern authentication - Enforce modern auth requirements
Common use cases
- Securing access from personal devices
- Restricting access to corporate networks
- Blocking legacy authentication
- Preventing data download on untrusted devices
Best practices
- Combine with Conditional Access for full control
- Test policies before broad deployment
- Communicate restrictions to users
- Monitor access patterns for issues
Security considerations
- Blocking unmanaged devices affects BYOD users
- IP restrictions must account for VPNs and remote work
- Legacy auth block may break older apps
Common questions
When should I assign the SharePoint Access Control Administration role?
Assign SharePoint Access Control Administration when you need to: Securing access from personal devices; Restricting access to corporate networks; Blocking legacy authentication; and Preventing data download on untrusted devices. It is part of SharePoint & OneDrive and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the SharePoint Access Control Administration role do?
The SharePoint Access Control Administration role grants permissions including: Unmanaged devices - Allow, limit, or block access; Network location - Configure IP-based access restrictions; App access - Control third-party app access; Idle session - Set session timeout policies; and Modern authentication - Enforce modern auth requirements. See the Permissions section above for the full list.
What are the security risks of the SharePoint Access Control Administration role?
Key considerations when assigning SharePoint Access Control Administration: Blocking unmanaged devices affects BYOD users; IP restrictions must account for VPNs and remote work; and Legacy auth block may break older apps. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.