Forum Discussion

Russ Mckee's avatar
Russ Mckee
MCT
Jan 23, 2018

Conditional Access by location, but allow activesync

Hi All,


I've struggled to find an answer to my question with Hybrid. Using a couple of Exchange 2013 servers on-prem setup in DAG, and looking to Hybrid migrate to Office 365.
To secure the data, I wish to use conditional access to meeting the requirement of securing access to Exchange Online only from my offices/datacentres.
I do however want to still allow activesync to be accessible by the wider public. There is an MDM solution involved which is onsite with Exchange 2013.

 

Can I ask:

1. Is this possible to secure access to a site for Outlook/Email access, however still allow activesync anywhere access?
2. Is this possible using AAD Connect and not ADFS?
3. Have you seen any documentation for this?
4. Finally, any caveats?

 

Thanks muchly!

compliance
exchange
hybrid
migration
office 365
security

4 Replies

  • Mike Parker's avatar
    Mike Parker
    Iron Contributor
    Jan 23, 2018
    Hi Russell,

    You would need to use either ADFS or Azure AD Conditional Access - Azure AD P1 feature. The conditional access controls in Azure AD CA do not limit ActiveSync (legacy auth clients) unless you specify the client in the CA rule. This is how we set up clients generally.

    I haven't done CA for on-premises mailboxes but I think this is available/in preview now. You can do this using synced identity as as ADFS. Equally you could use AAD to do the CA rather than ADFS if you had ADFS in place. There should be plenty of information on this on docs.microsoft.com.

    Mike
    • Russ Mckee's avatar
      Russ Mckee
      MCT
      Jan 23, 2018
      Hi Mike,
      Thank you for a quick response. So I can use Azure AD CA to configure Conditional Access to limit access for Exchange Online to certain locations only (by IP), while still being able to allow ActiveSync for mobile devices.
      All mailboxes will be moved to Exchange Online (Office 365).
      We are electing to use AADConnect instead of ADFS, but i cant find any documented steps to accomplish this?
      I am looking to do this in a lab before live migration begins - do you know of any recent documents on docs.microsoft.com? I couldnt find any myself.
      • Mike Parker's avatar
        Mike Parker
        Iron Contributor
        Jan 23, 2018
        Hi Russell,

        That's right - that's exactly how it will work.

        There is no impact whether you are using ADFS or AAD Connect - the AAD CA aren't impacted by that so there wouldn't be specific documentation.

        Docs can be found here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

        Mike