CMMC Level 2: Unmanaged Device Access in SharePoint and OneDrive

When I review a Microsoft 365 tenant for Level 2, I start with one hard truth: if CUI can land on a personal laptop, risk rises fast. SharePoint and OneDrive make teamwork easy, but unmanaged access can turn a clean security boundary into a mess.

The answer is not one Microsoft switch. For CMMC unmanaged device access, I need policy, technical controls, and evidence that match how your team handles CUI. That is where most assessments are won or lost.

What CMMC Level 2 actually expects from unmanaged device access

CMMC Level 2 does not tell me to enable one exact SharePoint or Entra setting. It asks me to protect CUI, limit access to authorized users and devices, control remote and mobile use, and prove those controls work. The CMMC Level 2 Assessment Guide is clear on the point that devices matter, not only user accounts.

That means I can’t treat SharePoint and OneDrive like a general file share if they hold CUI. If a user signs in from a home PC, a personal Mac, or an unenrolled phone, I need to decide what that device may do. In some environments, the answer is no access at all. In others, I may allow browser-only viewing with strict limits. Both can be reasonable, if they fit the system boundary and the SSP.

Microsoft gives me a useful map in its CMMC Level 2 access control guidance. Still, that guidance is not a compliance stamp. I have to align it with my enclave design, written policies, user roles, and current licensing.

CMMC asks me to control access to CUI. Microsoft gives me tools, not a single approved blueprint.

This is why I always start with scope. Is the whole tenant in scope? Only certain SharePoint sites? Only a dedicated CUI enclave? Until I answer that, any unmanaged-device rule is guesswork.

The access model I choose depends on where CUI lives

For SharePoint and OneDrive, I usually narrow the decision to three practical models.

Here is the quick comparison I use with clients:

Access model	Best fit	Main tradeoff
Block all unmanaged devices	CUI-heavy sites and strict enclaves	Strongest control, highest user friction
Browser-only, limited access	Occasional review on personal devices	Lower friction, but more policy and monitoring work
Full access on managed devices only	Daily operational use of CUI	Requires solid Intune compliance and support processes

If CUI sits in a site that many employees use every day, I prefer full access only from compliant or hybrid-joined devices. Then I block download, sync, and print from anything else. Microsoft documents the tenant and site controls in its guide to controlling access from unmanaged devices. One detail matters: site-level settings must be at least as restrictive as the org-wide setting.

When a business case exists for limited access, I keep it narrow. For example, a program manager on a personal laptop may review a file in the browser, but cannot download, sync, or print it. Meanwhile, the same user on an Intune-compliant, encrypted corporate laptop can edit and sync normally.

I also avoid blind trust in older clients. Legacy Office apps and other non-modern-auth tools can weaken these controls, so I block them. If the workflow depends on personal mobile devices, app protection can help, but I still validate whether that model belongs in the SSP before I call it acceptable for CUI.

Conditional Access is only the first layer

Conditional Access is where I start, not where I stop. I use policies that target SharePoint Online, which also covers OneDrive, and I separate my logic for managed and unmanaged devices. Microsoft lays out useful policy recommendations for securing SharePoint sites and files, but I still tune them to the tenant.

My baseline looks like this in practice. Managed endpoints must meet device compliance policy, which usually means encryption, supported OS versions, screen lock, malware protection, and other Device Hardening checks. Unmanaged devices get blocked or forced into app-enforced restrictions. I often tighten browser sessions with sign-in frequency and session controls, because a long-lived session on a personal device is a weak spot.

Then I move closer to the data. Sensitivity labels tell Microsoft 365 which files deserve the strongest handling. DLP backs that up by warning, blocking, or auditing risky sharing. For high-value CUI sites, I may bind stricter rules to a site by using authentication context for SharePoint sites. That lets me apply tougher access conditions only where they belong.

In my work across Small Business IT, Cloud Infrastructure, Office 365 Migration, and Data Center Technology, I see the same pattern every time. The same discipline matters in Restaurant POS Support and Kitchen Technology Solutions, because Cybersecurity Services fail when Endpoint Security stops at the office wall. Clients want Innovative IT Solutions, but they also need Tailored Technology Services, strong Cloud Management, a steady Business Technology Partner, clear Technology Consulting, Infrastructure Optimization, Digital Transformation, practical IT Strategy for SMBs, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security. An unmanaged-device policy ties those pieces together.

Documentation, monitoring, and assessor evidence matter as much as the settings

I never assume a policy is enough because the portal says “On.” For Level 2, I need to show how the rule maps to the SSP, the access control policy, the mobile or BYOD policy, and the actual system boundary. If personal devices are allowed for any CUI workflow, I document who may use them, under what conditions, and what protections apply.

A simple example helps. If engineering can view controlled drawings in a browser from personal devices, I document that the files remain in SharePoint, downloads are blocked, sync is blocked, printing is blocked, MFA is required, and activity is logged. I also document exceptions, reviewers, and how often the rule is tested.

The BYOD side often gets skipped, which is risky. I like the phased approach in this BYOD policy guide for NIST SP 800-171 and CMMC Level 2, because it starts with inventory, role need, and connection paths before it jumps into tooling.

Logging is the other half of the story. I review Entra sign-in logs, SharePoint and OneDrive audit events, DLP alerts, and policy hits. Report-only mode is helpful before rollout, but it is not lasting evidence of enforcement. I want screenshots, exportable logs, test cases, and review records.

If a control cannot be explained, tested, and shown to an assessor, it is weaker than it looks in the admin center.

Licensing also matters. Some advanced label and authentication-context features may require higher plans, so I verify current Microsoft capabilities before I promise a design.

A short checklist I use before I call the design ready

Before I sign off on unmanaged access to SharePoint or OneDrive, I run a short validation list.

• I confirm whether CUI is allowed on any unmanaged or personal device path at all.
• I separate CUI sites, libraries, or user populations from general collaboration spaces.
• I require MFA and create Conditional Access rules for SharePoint Online and OneDrive.
• I decide whether unmanaged devices are blocked outright or limited to browser-only access.
• I block download, sync, and print for unmanaged sessions where limited access is allowed.
• I require compliant managed devices for full access to CUI content.
• I apply sensitivity labels and DLP where CUI needs stronger handling.
• I turn on logging, review alerts, and keep evidence of regular control checks.
• I test the design with managed devices, unmanaged devices, guests, and break-glass exclusions.
• I compare every setting against the SSP, policies, enclave boundary, and likely assessor questions.

That last step is the one people rush past. I don’t.

Conclusion

Unmanaged access to SharePoint and OneDrive is not a yes-or-no question under Level 2. It is a design choice that has to match your CUI boundary, your policies, and your evidence.

When I get this right, personal devices stop being a blind spot. They become either blocked, tightly limited, or fully governed under a documented model that an assessor can follow from policy to control to log.