Forum Discussion

MCT

Jan 23, 2018

Conditional Access by location, but allow activesync

Hi All, I've struggled to find an answer to my question with Hybrid. Using a couple of Exchange 2013 servers on-prem setup in DAG, and looking to Hybrid migrate to Office 365. To secure the dat...

Iron Contributor

Jan 23, 2018

Hi Russell,

You would need to use either ADFS or Azure AD Conditional Access - Azure AD P1 feature. The conditional access controls in Azure AD CA do not limit ActiveSync (legacy auth clients) unless you specify the client in the CA rule. This is how we set up clients generally.

I haven't done CA for on-premises mailboxes but I think this is available/in preview now. You can do this using synced identity as as ADFS. Equally you could use AAD to do the CA rather than ADFS if you had ADFS in place. There should be plenty of information on this on docs.microsoft.com.

Mike

Russ Mckee
MCT
Jan 23, 2018
Hi Mike,
Thank you for a quick response. So I can use Azure AD CA to configure Conditional Access to limit access for Exchange Online to certain locations only (by IP), while still being able to allow ActiveSync for mobile devices.
All mailboxes will be moved to Exchange Online (Office 365).
We are electing to use AADConnect instead of ADFS, but i cant find any documented steps to accomplish this?
I am looking to do this in a lab before live migration begins - do you know of any recent documents on docs.microsoft.com? I couldnt find any myself.
- Mike Parker
  Iron Contributor
  Jan 23, 2018
  Hi Russell,
  
  That's right - that's exactly how it will work.
  
  There is no impact whether you are using ADFS or AAD Connect - the AAD CA aren't impacted by that so there wouldn't be specific documentation.
  
  Docs can be found here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
  
  Mike
  - Russ Mckee
    MCT
    Jan 23, 2018
    Thanks Mike. I will try this out in a Lab and report back!