Home

Limit access to Office 365 from internet

%3CLINGO-SUB%20id%3D%22lingo-sub-271923%22%20slang%3D%22en-US%22%3ELimit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271923%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20a%20solution%20to%20limit%20access%20to%20Office%20365%20(Exchange%2C%20OneDrive%2C%20...)%20from%20the%20internet.%20I%20don't%20want%20that%20users%20can%20read%20or%20send%20mails%20from%20outside%20the%20company%20but%20when%20they%20are%20on%20premise%2C%20it's%20okay.%20As%20usual%20there%20is%20some%20exceptions%20%3A%20certain%20users%20should%20access%20their%20mails%20from%20internet.%20Internet%20access%20must%20be%20secure%20with%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20already%20made%20some%20research%20and%20it%20seems%20that%20there%20is%202%20options%20for%20me%20%3A%3C%2FP%3E%3CP%3E-%20Azure%20AD%20Conditional%20access%20(require%20a%20premium%20license)%3C%2FP%3E%3CP%3E-%20ADFS%20conditional%20access%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20still%20have%20some%20questions%20%3A%3C%2FP%3E%3CP%3E1)%20Can%20I%20achieve%20my%20goal%20with%20both%20options%20%3F%3C%2FP%3E%3CP%3E2)%20Is%20there%20any%20other%20solution%20to%20achieve%20my%20goal%20%3F%3C%2FP%3E%3CP%3E3)%20Currently%2C%20there%20is%20an%20hybrid%20Exchange%20with%20Azure%20AD%20Connect%20set%20up%2C%20is%20it%20compatible%20with%20conditionals%20access%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-271923%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272134%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272134%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20to%20make%20sure%20you%20understand%20the%20process%20correctly%2C%20both%20Azure%20AD%20CA%20and%20AD%20FS%20claims%20rules%20only%20restrict%20the%20authentication.%20If%20the%20user%20authenticates%20in%20your%20%22internal%22%20network%20and%20gets%20his%20laptop%20home%2C%20he%20will%20still%20be%20able%20to%20happily%20access%20messages%20until%20the%20token%20expires%2C%20which%20can%20be%20a%20very%20long%20time%20in%20general.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20only%20want%20to%20block%20access%20to%20email%2C%20Client%20Access%20Rules%20in%20Exchange%20Online%20might%20be%20a%20better%20match.%20They%20are%20enforced%20at%20the%20Exchange%20server%20layer%2C%20and%20evaluated%20every%20time%20the%20client%20%22talks%22%20to%20the%20server.%20However%2C%20in%20general%20they%20aren't%20as%20robust%20as%20CA%20policies%20are.%20Here's%20the%20documentation%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271965%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271965%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20use%20Azure%20AD%20CA%20for%20this%20yes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271952%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271952%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20said%2C%20there%20is%20an%20Hybrid%20Exchange%20configuration%20and%20all%20mailboxes%20are%20hosted%20on%20Exchange%20Online.%3C%2FP%3E%3CP%3ESo%20to%20manage%20access%20to%20these%20mailboxes%2C%20I%20have%20to%20use%20Azure%20AD%20CA%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271933%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271933%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3ENot%20really!%20ADFS%20CA%20is%20for%20internal%20resources%2C%20and%20Azure%20AD%20CA%20is%20for%20cloud%20resources%3C%2FP%3E%3CP%3EYou%20can%20use%20a%20connector%20for%20exchange%20locally%20and%20use%20Azure%20CA%20though%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Julien Schneider
Contributor

Hello,

 

I'm looking for a solution to limit access to Office 365 (Exchange, OneDrive, ...) from the internet. I don't want that users can read or send mails from outside the company but when they are on premise, it's okay. As usual there is some exceptions : certain users should access their mails from internet. Internet access must be secure with MFA.

 

I've already made some research and it seems that there is 2 options for me :

- Azure AD Conditional access (require a premium license)

- ADFS conditional access

 

But I still have some questions :

1) Can I achieve my goal with both options ?

2) Is there any other solution to achieve my goal ?

3) Currently, there is an hybrid Exchange with Azure AD Connect set up, is it compatible with conditionals access ?

 

Thank you for your answer.

 

4 Replies

Hi!

Not really! ADFS CA is for internal resources, and Azure AD CA is for cloud resources

You can use a connector for exchange locally and use Azure CA though

 

Hello,

 

Thank you for your answer.

 

As I said, there is an Hybrid Exchange configuration and all mailboxes are hosted on Exchange Online.

So to manage access to these mailboxes, I have to use Azure AD CA ?

You use Azure AD CA for this yes

Just to make sure you understand the process correctly, both Azure AD CA and AD FS claims rules only restrict the authentication. If the user authenticates in your "internal" network and gets his laptop home, he will still be able to happily access messages until the token expires, which can be a very long time in general.

 

If you only want to block access to email, Client Access Rules in Exchange Online might be a better match. They are enforced at the Exchange server layer, and evaluated every time the client "talks" to the server. However, in general they aren't as robust as CA policies are. Here's the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies