Curious how others are handling this because I’m running into a wall.

Goal is pretty standard: allow browser access to M365 from unmanaged devices but block downloads (SharePoint, OneDrive, Office web apps, etc). Easy enough with SharePoint unmanaged device controls + CA.

Problem is Power BI.

As soon as you enforce web-only / no-download on SharePoint, scheduled refreshes that pull from SharePoint start failing. Auth succeeds, but the data call gets blocked and shows up as “invalid credentials.”

I’m trying to avoid carving out user/service account exceptions or redesigning the data source just to make this work.

So… how are you all dealing with this?

•   Accept the limitation?

•   Move data sources off SharePoint?

•   Just live with exceptions?

Feels like a pretty common scenario but the controls don’t quite line up.

Curious what others landed on.

I was going to post this into /microsoft365 but the posts don’t read technical there so hoping this group can help better.

Yes I used AI to help write the question.