[excel] (Power Automate) Add best practice of blocking unmanaged devices (#650)

AlexJerabek · web-flow · commit 1cc1897364f7 · 2023-09-20T09:22:03.000-07:00
* Add best practice of blocking unmanaged devices

* Add best practice of blocking unmanaged devices

* Fix date

* Clarify CA control
diff --git a/docs/develop/power-automate-integration.md b/docs/develop/power-automate-integration.md
@@ -2,7 +2,7 @@
 title: Run Office Scripts with Power Automate
 description: How to get Office Scripts for Excel working with a Power Automate workflow.
 ms.topic: integration
-ms.date: 08/10/2023
+ms.date: 09/19/2023
 ms.localizationpriority: medium
 ---
 
@@ -42,8 +42,11 @@ This opens a task pane with several options to begin connecting your Office Scri
 > [!NOTE]
 > The **Run script** Power Automate action only supports scripts stored in your OneDrive. To run scripts shared in SharePoint libraries, use the **Run script from SharePoint library (Preview)** action. This action is currently in preview and is subject to change based on feedback. If you encounter any issues with this action, please report them through the **Help** > **Give Feedback** option in Power Automate.
 
-> [!IMPORTANT]
-> The "Run script" action gives people who use the Excel connector significant access to your workbook and its data. Additionally, there are security risks with scripts that make external API calls, as explained in [External calls from Power Automate](external-calls.md). If your admin is concerned with the exposure of highly sensitive data, they can either turn off the Excel Online connector or restrict access to Office Scripts through the [Office Scripts administrator controls](/microsoft-365/admin/manage/manage-office-scripts-settings).
+### Data security in Office Scripts with Power Automate
+
+The "Run script" action gives people who use the Excel connector significant access to your workbook and its data. Additionally, there are security risks with scripts that make external API calls, as explained in [External calls from Power Automate](external-calls.md). If your admin is concerned with the exposure of highly sensitive data, they can either turn off the Excel Online connector or restrict access to Office Scripts through the [Office Scripts administrator controls](/microsoft-365/admin/manage/manage-office-scripts-settings).
+
+For admins who have enabled Conditional Access policies for unmanaged devices in their tenant, it's a best practice to disable Power Automate on unmanaged devices. This process is detailed in the blog post [Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies](https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/).
 
 ## Data transfer in flows for scripts
 
diff --git a/docs/testing/platform-limits.md b/docs/testing/platform-limits.md
@@ -2,7 +2,7 @@
 title: Platform limits and requirements with Office Scripts
 description: Resource limits and browser support for Office Scripts when used with Excel.
 ms.topic: limits-and-quotas
-ms.date: 09/08/2023
+ms.date: 09/19/2023
 ms.localizationpriority: medium
 ---
 
@@ -78,13 +78,16 @@ Your browser needs third-party cookies enabled to show the **Automate** tab in E
 
 ## Conditional Access
 
-[Conditional Access](/azure/active-directory/conditional-access/overview) policies can restrict access to SharePoint and OneDrive for [unmanaged devices](/sharepoint/control-access-from-unmanaged-devices). If your device isn't managed by the tenant, you may not have access to specific scripts, or may only be able to access them through the browser.
+[Conditional Access](/azure/active-directory/conditional-access/overview) policies restrict access to SharePoint and OneDrive for [unmanaged devices](/sharepoint/control-access-from-unmanaged-devices). If your device isn't managed by the tenant, you may not have access to specific scripts, or may only be able to access them through the browser.
 
 If you script is blocked by Conditional Access policies, you'll receive one of two error messages. These messages also surface in Power Automate if your flow is run from an unmanaged device.
 
 - "Due to organizational policies, you can’t access this resource from this untrusted device."
 - "We can't find this script. It may have been deleted by another user." (If your version of Excel is older.)
 
+> [!IMPORTANT]
+> Administrators should consider blocking all access to Power Automate from unmanaged devices. This process is detailed in the blog post [Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies](https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/).
+
 ## API support on older Excel versions
 
 Some Office Scripts APIs may not be supported by Excel for Windows or Excel for Mac, especially older builds. These include newer APIs and APIs for web-only features. If a script contains unsupported APIs, the Code Editor displays a warning. If you try to run such a script, it won't run. Instead, the **Script Run Status** task pane displays a warning message that says, "This script currently must be run on Excel for the web. Open the workbook in the browser then try again, or contact the script owner for help."
