Forum Discussion
Restrict email access to Exchange Online
Hey Peter,
We are trying to accomplish the same thing but from what we found you need ADFS. The problem with Conditional Access is it blocks clients that use Modern Auth. If the client tries using basic auth (Outlook 2010 and older only use basic and Outlook 2013 / 2016 can use modern or basic) it will get through. We are working on blocking basic auth w/ADFS externally to shore up this loop hole.
- PKlapwijkJan 24, 2017MVP
Hi Chris Eckel
This is an cloud only customer. So part of my solution for this was blocking basic auth for Exchange Online. In this situaton that was no problem, customer is running only Outlook 2013/ 2016. Till now it is not yet implemented to the customer his tenant, was just running this in a lab.
But in your situation, with an On-prem AD, if you don`t want to use ADFS, have a look at the New Azure Portal. Below Azure Active Directory you find Conditional Access. You can create an policy to just allow Exchange Online access to Domain Joined devices, filter it on Windows devices and you can setup another solution for your mobile devices.- Clifford KennedyFeb 03, 2017Iron Contributor
The CA policies get you most of the way there - but I beleive you still need to set the ADFS claims rule to block the down-level clients. We found you still need basic to ensure mobile clients using EAS can connect and retireve content. Of course, if you are using Outloof for iOS/Android only, which no longer relies on the EAS channel, you could implement MAM+CA in this case.