Oct 16 2018 03:01 AM
Hello,
I'm looking for a solution to limit access to Office 365 (Exchange, OneDrive, ...) from the internet. I don't want that users can read or send mails from outside the company but when they are on premise, it's okay. As usual there is some exceptions : certain users should access their mails from internet. Internet access must be secure with MFA.
I've already made some research and it seems that there is 2 options for me :
- Azure AD Conditional access (require a premium license)
- ADFS conditional access
But I still have some questions :
1) Can I achieve my goal with both options ?
2) Is there any other solution to achieve my goal ?
3) Currently, there is an hybrid Exchange with Azure AD Connect set up, is it compatible with conditionals access ?
Thank you for your answer.
Oct 16 2018 03:42 AM
Hi!
Not really! ADFS CA is for internal resources, and Azure AD CA is for cloud resources
You can use a connector for exchange locally and use Azure CA though
Oct 16 2018 04:52 AM
Hello,
Thank you for your answer.
As I said, there is an Hybrid Exchange configuration and all mailboxes are hosted on Exchange Online.
So to manage access to these mailboxes, I have to use Azure AD CA ?
Oct 16 2018 10:57 AM
Just to make sure you understand the process correctly, both Azure AD CA and AD FS claims rules only restrict the authentication. If the user authenticates in your "internal" network and gets his laptop home, he will still be able to happily access messages until the token expires, which can be a very long time in general.
If you only want to block access to email, Client Access Rules in Exchange Online might be a better match. They are enforced at the Exchange server layer, and evaluated every time the client "talks" to the server. However, in general they aren't as robust as CA policies are. Here's the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...