SOLVED

Restricting access to Office 365- Microsoft Teams After defined hours

Copper Contributor

Hello Team,

 

Hope everyone is doing well. I had one questions for this wonderful community, Hope I will get more inputs from all of you.

 

We're looking to restrict login hours for a person in Microsoft Teams, Don't want to allow him to access Teams after working hours or defined time period. Currently we don't want to use conditional access to allow use of only office network and block all external access. As Users need to be connect through different networks for work access.

 

Please provide me your inputs to achieve this, Any help would be greatly appreciated:smile:.

 

Thanks,

Jitesh

7 Replies
I believe if not utilizing conditional access you’re only option is using adds or pass-through auto and limit the login hours in AD! Although I suspect this isn’t waterproof since if they’ve logged in already they will stay connected til that token expires

Edit: for Teams only I don’t think there’s any controls of this possible outside of using CA - which you can control geo and IP ranges in this scenario!
Hopefully someone else have some ideas if this really I
Is needed
Thanks Adam for your response,
Hopefully we can able to analyze, find out some solutions with the help of community members.
best response confirmed by VI_Migration (Silver Contributor)
Solution

The only way to restrict logon hours is when authentication happens on-premises, so you need either PTA or AD FS. But that will of course apply to all apps, not just Teams. An alternative is to schedule a PowerShell script that periodically disables/reenables the account and revokes tokens. Again, applies to all apps.

 

CA doesn't offer time-based controls, but it's the only solution that can target just the Teams app.

Vasil, The main idea is to block login on teams after office hours. so suppose if I block the login hours from AD then how will it synced with the Teams App in this case the users will still be able to use the team app on their mobile phone. Please suggest

By using ADFS or pta, all logins go to your AD for authentication! Doesn’t matter where or what device it’s from!

Although as both @Vasil Michev and I pointed out, this will block logins to all Office 365 services
Even when using PTA or ADFS you will have tokens that won't expire and you'll stay logged in, it'll only restrict someone from logging in if their token expires and they need to re-log in during this time or you crank your token expiration way down which will create angry users.

@Jitesh_Kumar 

 

There are two ways to do this:

- Using AD Connect with Pass-through (https://youtu.be/cdgxmx4bpgg)

- Script (https://youtu.be/JErcqyflEdI) this video helps to configure

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

The only way to restrict logon hours is when authentication happens on-premises, so you need either PTA or AD FS. But that will of course apply to all apps, not just Teams. An alternative is to schedule a PowerShell script that periodically disables/reenables the account and revokes tokens. Again, applies to all apps.

 

CA doesn't offer time-based controls, but it's the only solution that can target just the Teams app.

View solution in original post