Introducing Conditional Access by Network Location for SharePoint and OneDrive for Business

As showcased at Ignite in September 2016, we are bringing network location-based conditional access policy to SharePoint and OneDrive for Business to First Release starting 20 January 2017.



This policy can help prevent data leakage and can help meet regulatory requirements to prevent access from untrusted networks. IT administrators can limit access to specific network ranges from the SharePoint Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary (using web browser, desktop app, or mobile app on any device) will be blocked.

These policies will be available to all First Release commercial & GCC tenants, and will not require additional licensing.

Administrative Experience
Administrators need to be careful that any network ranges include the IP address of their current machine. IP address ranges are strictly enforced, so entering a range that doesn’t include the administrator’s machine will lock out the admin session. If this happens, please contact support to reestablish connectivity.

By default, this policy is off. No restrictions at all will be enforced by SharePoint if this policy is left unconfigured. Configuration of this policy is completely optional.


If an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, the AADP whitelist is interpreted first, followed by the SharePoint policy. As result, a SharePoint administrator may choose to apply a policy which is more restrictive than that defined in AADP. However, a SharePoint administrator cannot enable access to an IP address range that is also prohibited by AADP.
Admin experience in the SharePoint Online admin console.


Finally, the SharePoint policy applies to all SharePoint services in the Office 365 tenant, including OneDrive for Business.

User Experience
All user access from inside the whitelisted address ranges will proceed as normal. However, users attempting to access SharePoint and OneDrive workloads from outside the white list will be blocked.
User experience when accessing SharePoint from a prohibited location.


Location based conditional restrictions, when enforced, also prevent file offline sync via the OneDrive clients. In general, if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely to prevent any content from leaving known network locations on remote devices. These policies prevent live access to SharePoint and OneDrive; however, they do not automatically detect if downloaded or offline synchronized content is on a client device which travels to a network outside the whitelisted range.


We’re excited about our new conditional access policies, and look forward to rolling out even more in the coming months, Thank you.


Frequently Asked Questions (FAQ)
Q. How will these policies affect access to other Office 365 services, such as Exchange?
A. There is not direct impact on any non-SharePoint services in Office 365. However, for collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist.


Q. Are conditional access policies by location available to government tenants?
A. Yes, these policies are available in the GCC cloud. We anticipate releasing these policies to other sovereign clouds later in 2017.


Q. Do these policies require additional licensing to enable the use of Azure Active Directory Premium or Office 365 E5?
A. No, these policies do not require those services or any additional licensing. If a customer is not using Azure Active Directory Premium, SharePoint policies will work as described to enable and/or prevent access based on network location.


Q. How do these policies affect access to on premises installation of SharePoint Server?
A. These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies.


 Nice feature seems January is a busy month with new updates arriving :-)

Love the fact that you've made this availabile without requiring any additional licensing. I've been playing with it (well the PowerShell cmdlet) for a while now, works as advertised :)




We have done POC with many customers here in Pakistan and they are looking forward to deploy this feature very soon after the final release.

Occasional Contributor

Our needs would be more granular.  It's hard to work with vendors/clients when you can't do this by site collection, for example.

Not applicable

I have to imagine this just made a lot of my regulated customers happy.


Great feature! Hopefully this heralds a future iteration that allows for more granular control - at site collection level for example. Our ideal would be to provide a solution for our more sensitive data but not at the expense of preventing anytime/anywhere access to other content.

This is great news for regulated customers trying to implement a mobile strategy. 

Frequent Contributor

Does anyone know where the setting is for this? "if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely"

Is this a powershell command or how is this achieved?

Regular Visitor

Where do you configure the new feature "conditional access by network location"? 


We may need the way to opt-out / edit this option in case incorrect IP range was set. Once you press <Save> with incorrect IP range, you may never be able to make a correction against it because you yourself will be rejected to access the admin console.


- Another warning dialog should be required when you press <Save> on the console, if you enable [Control access based on location] option.
- There should be admin-only URL so that the admin can edit IP range settings in case incorrect value was set.


You can configure the "conditional access by network location" option at [Device Access] page in https://admin.onedrive.com/ after signing in to Office 365 as a company administrator.


For those who are looking for mroe granular options, i.e. by Site Collection, why would that make a difference? I'm trying to figure this out with a few of my customers, and I'm stuck on the "Authentication" piece being managed by Conditional Access, and the "Authorization" piece being managed, still, via permissions on site collections.  
I think you would want to use Conditional Access to enable network access based on location as determined by Who the User Is, and then, subsequently, use permissions to determine which Site Collections that person would have access to.  I struggle to see how  the same user identity would have different access to different site collection depending on where they are. I think having the one lever of conditional access to handle authentication and the second lever of permissions should be enough, shouldn't it?

I expect there will be more conversations around this, so I'd like to understand why conditional access at the site collection level would be a requirement. 
Thanks - 
Owen Allen,
Cloud Productivity TSP

Occasional Visitor

Owen, I would want to restrict some of my staff from accessing content when not at work. i.e. If working from home then I don't want them to be able to sync content to their home PC , or an Internet cafe etc...


If they are at work, then fine they should be able to access whatever content they have permission to access, but away from work then they should be prevented. For managers or C-Level, a less restrictive policy would be applied.




Occasional Contributor

Looking forward to trying this, but wish there was a better mobile solution with non-Intune customers.

Occasional Visitor


On the conditional access per site collection, in a regulated environment, like Healthcare, there is certain types of information, like PHI, that we only want access to approved devices.  Therefore, for a site collection where they may want to collaborate on information containing PHI, you would want to restrict based on IP of certain companies, domain approved devices, or InTune managed devices.  This would include not being able to access the content from personal devices.  However, other site collections, one may want to allow personal device collaboration and broader external collaboration, like say one was collaborating on building plans or a community program.  Right now, the Azure AD Conditional access would cover the broader access to service offering, such as SharePoint or Power BI.  What is needed at SharePoint level is the control at the site collection level, like we have sharing control at site collection level (i.e., some site collections can be externally shared and others not).

Occasional Visitor

Our case for conditional access per site collection would be when we set up a site collection for use as an extranet with a client of ours, and they want to lock access to that down to our location and theirs.


Jason, Chuck, and Thomas - good ideas for scenarios, thank you. As a field technology person, I also have to deal with these scenarios with my customers. I agree, it will be nice when Conditional Access can support the granularity that you are looking for. 


Appreciate all the dialog aroundthis feature - we completely hear you on the potential to augmenht our scenarios with IP "blacklisting" and more granular sitre colection based controls.  We'll factor those in, and I encourage everyone to continue the suggestions over on http://sharepoint.uservoice.com Thanks!


Hello Chris.


Is this feature enabled? I could not see this on our O365 SharePOint - Admin center.


Will this feature also added seprately in OneDrive Admin Preview?



Occasional Contributor

I see the option on the OneDrive Admin client but NOT the SPO Admin center.  It would be nice to be able to know when features are being enabled for our tenant.

Occasional Visitor

I don't see any option in SPO Admin Center either. We are on Gov Cloud.


It was released on 1/20 to First Release commercial and GCC tenants - adding @Sameer Yadav to the thread to comment on the GCC (GovCloud) question.  Thanks!


 Hi Brian and Robert - Could you try logging in once more into your SPO admin center and look for the device access tab, and you should see this network location based policy.   

Occasional Contributor

@Sameer Yadav - just tried.  Nope.  It is there for OneDrive Admin but not SPO Admin.  

Occasional Visitor

 @Sameer Yadav - I see it now in SPO Admin center. 


@Chris McNulty - I emailed you the other day. Any update on session timeout settings in SPO as we discussed at SPTech Con in Boston last year?


Brian I havent seen the message - can you resend?  No timing I can share publicly but it is an active research and design area for us now.

Occasional Visitor

What if users using OneDrive outside the organization and they don't have fixed IP Addresses to be allowed ?

Occasional Visitor

Do we have an option to except one site from this rule ?

Occasional Visitor

We don't see this option in our admin panel.  Is this feature still being rolled out?  If so, is there any way to know approximately when it will available to us?  



Occasional Visitor



Can we achive the control access based on ip location using private IP address range alone.?


How's it going on Private IP?

Is there any requirement about IP addresses?


Occasional Contributor

Does anyone have any updates / news about restricting access based on network location by site collection?  It's not usable by our company in it's current implementation.  Ideally, we'd have a sharepoint online site collection similar to an internal file server.  That would be restricted based on our network ip range at the office.  


However, we also want to be able to use sharepoint to collaborate and share externally so we would have different site collections for this with different access restrictions.


Right now, it's an all or nothing approach.  

Occasional Contributor

I agree, this is still a large need for us, and it prevents us from using SharePoint Online to collaborate with some of our clients who require it.

Established Member

This seems to break a lot of functionality for me. And my assigned support rep has been able to recreate in his environment also. When IP restrictions are on, Onenote can't provision the default notebooks, and and for users with a notebook has a nag banner about that in the webclient all the time. Also users are "timed out" of editing documents after 3-8min in the webclient whenever IP restrictions are on.

New Contributor

Is it possible to restrict one particular SharePoint online Team site with IP address range? Other sites can be opened anywhere.


Hi - can we have an update on the general thinking with this feature and whether or not it might be introduced at site collection level? I'm prompted by the post 5 hours ago about site collection specific IP restrictions. This was hinted/discussed a fairly long time ago and would be an excellent feature that would help address lots of security issues for us. Something similar already exists for external sharing restrictions which can be both at tenant and site collection level.

For example, we have a current project where we will be creating some planning, analysis and evidence capture artifacts in a particular site collection. This site collection will be accessed from a finite number of sites and on occasion by staff using VPN solutions such that an IP restriction would be of significant advantage and allow us to rely on both the physical security of the associated locations as well as device security of the associated networks. We don't have the same requirement for other content and IP range restrictions would be a burden rather than an advantage for all other site collections.