Notion page sharing lets you give external guests or team members access to specific pages or databases. When your organization uses Conditional Access Policies in Microsoft Entra ID, those policies can restrict Notion sessions based on device compliance, location, or sign-in risk. This article explains how Notion sharing works alongside Conditional Access, what happens when a policy blocks access, and how to configure sharing so that invited guests can still reach their assigned pages without breaking your security rules.
Key Takeaways: Notion Sharing and Conditional Access Policies
- Settings & Members > Security > Conditional Access: Enables or disables policy enforcement for Notion sessions.
- Share button > Invite with email: Sends a guest invite that triggers Conditional Access evaluation during login.
- Settings & Members > Security > Session Duration: Controls how often re-authentication happens, which can reduce policy checks.
How Notion Page Sharing Interacts with Conditional Access Policies
Conditional Access Policies are rules in Microsoft Entra ID that control who can access cloud apps based on conditions like device platform, location, or sign-in risk. When a Notion workspace is connected to Microsoft Entra ID as an enterprise application, Notion can enforce those policies during user authentication. Page sharing in Notion works by granting a guest or team member access to a specific page or database. The guest must sign in with a Microsoft account or a Notion account linked to a Microsoft identity. If a Conditional Access Policy requires a compliant device or a specific location, the guest must meet that requirement to view the shared page. Notion does not bypass Conditional Access for shared pages. The policy applies to the entire session, not to individual pages. This means that if a block page or a compliance failure occurs, the guest cannot see any shared content until they satisfy the policy or the administrator grants an exception.
What Conditional Access Policies Can Affect Notion Sharing
The following policy conditions can block or restrict Notion page access:
- Device compliance: Requires the device to be Intune-managed or meet compliance rules. A personal device without enrollment may be blocked.
- Location: Restricts access to trusted IP ranges or countries. Guests outside the allowed range cannot authenticate.
- Sign-in risk: Blocks or requires MFA if the sign-in is considered risky.
- Client app type: Can limit access to browser sessions only, blocking the Notion desktop or mobile app.
Notion also supports session control policies such as app-enforced restrictions. These controls can limit download, print, or copy actions when a user views a shared page.
Steps to Configure Notion Page Sharing with Conditional Access
Before you share pages, ensure that Notion is registered as an enterprise application in Microsoft Entra ID and that Conditional Access Policies are applied to the Notion app. Then use the following steps to share a page and verify that policies are enforced.
- Open the page you want to share
Navigate to the Notion page or database that needs external access. Click the Share button in the top-right corner of the page. - Invite a guest by email
In the Share menu, type the email address of the guest. The email must match the identity used in Microsoft Entra ID. Click Invite. The guest receives an email with a link to the page. - Set the permission level
After inviting, choose the guest’s permission: Can edit, Can comment, or Can view. For sensitive pages, use Can view to prevent changes. - Configure Conditional Access in Notion admin settings
Go to Settings & Members > Security > Conditional Access. Ensure the toggle is enabled. If disabled, Notion will not enforce any Conditional Access Policies. Click Configure to select the Microsoft Entra ID tenant and application. - Test the guest experience
Open a private browser window or use a device that does not meet the policy requirements. Click the invite link. Notion redirects to Microsoft Entra ID for sign-in. If the policy blocks the sign-in, the guest sees a block page or a compliance prompt. If the policy allows, the guest sees the shared page. - Adjust session duration for fewer policy checks
In Settings & Members > Security > Session Duration, set a longer session time, such as 8 hours. This reduces how often the guest must re-authenticate and re-evaluate policies. The default is 1 hour.
Alternative Method: Share Pages with a Group Instead of Individuals
If you manage many guests, create a Microsoft Entra ID group and apply the Conditional Access Policy to that group. Then in Notion, invite the group email address. This simplifies policy management because you can add or remove members from the group without changing the Notion share settings.
Common Issues with Notion Sharing and Conditional Access
Guest Sees a Block Page Instead of the Shared Notion Page
The guest’s device or location does not meet the policy requirements. Ask the guest to use a compliant device or connect from an allowed location. If the policy requires device enrollment, the guest must enroll the device in Intune. As a workaround, you can create an exclusion policy for a specific group of trusted guests.
Guest Can See the Shared Page but Cannot Edit or Comment
The permission level set in the Share menu may be too restrictive. Go to the Share menu, find the guest’s name, and change the permission to Can edit or Can comment. If the policy includes app-enforced restrictions, editing may also be blocked. Check the session control settings in the Conditional Access Policy.
Notion Does Not Enforce Conditional Access for Shared Pages
The Conditional Access toggle in Notion admin settings may be disabled. Go to Settings & Members > Security > Conditional Access and enable it. Also confirm that the Notion enterprise application in Microsoft Entra ID has the policy assigned and enabled.
Guest Cannot Sign In with Their Microsoft Account
The guest’s account may not be federated with the same Microsoft Entra ID tenant that Notion uses. The guest must sign in with the account that received the invite. If the invite was sent to a personal email that is not linked to a Microsoft Entra ID account, the guest cannot authenticate. Send a new invite to the guest’s work or school email address.
Notion Sharing Options vs Conditional Access Enforcement
| Item | Share with email invite | Share with link (anyone) |
|---|---|---|
| Authentication required | Yes, guest must sign in with Microsoft or Notion account | No, anyone with the link can view (if link sharing is enabled) |
| Conditional Access applies | Yes, during sign-in | No, because no sign-in occurs |
| Best for | Controlled external access with policy enforcement | Quick sharing without security constraints |
Notion also supports sharing with a workspace member directly. If the member is already in the workspace, Conditional Access applies to their existing session. No additional invite is needed.
You can now set up Notion page sharing that respects your organization’s Conditional Access Policies. Start by enabling the Conditional Access toggle in Notion admin settings and inviting guests by email. For tighter control, use a Microsoft Entra ID group and assign the policy to that group. Remember that link sharing bypasses all Conditional Access checks, so use it only for non-sensitive content. An advanced tip: configure a session control policy in Microsoft Entra ID to restrict download of Notion page content even when the guest is authenticated.