Home
Microsoft

Introducing Conditional Access by Network Location for SharePoint and OneDrive for Business

As showcased at Ignite in September 2016, we are bringing network location-based conditional access policy to SharePoint and OneDrive for Business to First Release starting 20 January 2017.

 

CloudSecurity.png

This policy can help prevent data leakage and can help meet regulatory requirements to prevent access from untrusted networks. IT administrators can limit access to specific network ranges from the SharePoint Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary (using web browser, desktop app, or mobile app on any device) will be blocked.


These policies will be available to all First Release commercial & GCC tenants, and will not require additional licensing.


Administrative Experience
Administrators need to be careful that any network ranges include the IP address of their current machine. IP address ranges are strictly enforced, so entering a range that doesn’t include the administrator’s machine will lock out the admin session. If this happens, please contact support to reestablish connectivity.


By default, this policy is off. No restrictions at all will be enforced by SharePoint if this policy is left unconfigured. Configuration of this policy is completely optional.

 

If an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, the AADP whitelist is interpreted first, followed by the SharePoint policy. As result, a SharePoint administrator may choose to apply a policy which is more restrictive than that defined in AADP. However, a SharePoint administrator cannot enable access to an IP address range that is also prohibited by AADP.
LocationPolicy.jpg
Admin experience in the SharePoint Online admin console.

 

Finally, the SharePoint policy applies to all SharePoint services in the Office 365 tenant, including OneDrive for Business.


User Experience
All user access from inside the whitelisted address ranges will proceed as normal. However, users attempting to access SharePoint and OneDrive workloads from outside the white list will be blocked.
LocationBlocked.jpg
User experience when accessing SharePoint from a prohibited location.

 

Location based conditional restrictions, when enforced, also prevent file offline sync via the OneDrive clients. In general, if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely to prevent any content from leaving known network locations on remote devices. These policies prevent live access to SharePoint and OneDrive; however, they do not automatically detect if downloaded or offline synchronized content is on a client device which travels to a network outside the whitelisted range.

 

We’re excited about our new conditional access policies, and look forward to rolling out even more in the coming months, Thank you.

 

Frequently Asked Questions (FAQ)
Q. How will these policies affect access to other Office 365 services, such as Exchange?
A. There is not direct impact on any non-SharePoint services in Office 365. However, for collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist.

 

Q. Are conditional access policies by location available to government tenants?
A. Yes, these policies are available in the GCC cloud. We anticipate releasing these policies to other sovereign clouds later in 2017.

 

Q. Do these policies require additional licensing to enable the use of Azure Active Directory Premium or Office 365 E5?
A. No, these policies do not require those services or any additional licensing. If a customer is not using Azure Active Directory Premium, SharePoint policies will work as described to enable and/or prevent access based on network location.

 

Q. How do these policies affect access to on premises installation of SharePoint Server?
A. These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies.

30 Comments

 Nice feature seems January is a busy month with new updates arriving :-)

Love the fact that you've made this availabile without requiring any additional licensing. I've been playing with it (well the PowerShell cmdlet) for a while now, works as advertised :)

 

 

Microsoft

We have done POC with many customers here in Pakistan and they are looking forward to deploy this feature very soon after the final release.

Occasional Contributor

Our needs would be more granular.  It's hard to work with vendors/clients when you can't do this by site collection, for example.

Contributor

I have to imagine this just made a lot of my regulated customers happy.

Contributor

Great feature! Hopefully this heralds a future iteration that allows for more granular control - at site collection level for example. Our ideal would be to provide a solution for our more sensitive data but not at the expense of preventing anytime/anywhere access to other content.

This is great news for regulated customers trying to implement a mobile strategy. 

Contributor

Does anyone know where the setting is for this? "if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely"

Is this a powershell command or how is this achieved?

Visitor

Where do you configure the new feature "conditional access by network location"? 

Visitor

We may need the way to opt-out / edit this option in case incorrect IP range was set. Once you press <Save> with incorrect IP range, you may never be able to make a correction against it because you yourself will be rejected to access the admin console.

 

- Another warning dialog should be required when you press <Save> on the console, if you enable [Control access based on location] option.
- There should be admin-only URL so that the admin can edit IP range settings in case incorrect value was set.

Visitor

You can configure the "conditional access by network location" option at [Device Access] page in https://admin.onedrive.com/ after signing in to Office 365 as a company administrator.

Microsoft

For those who are looking for mroe granular options, i.e. by Site Collection, why would that make a difference? I'm trying to figure this out with a few of my customers, and I'm stuck on the "Authentication" piece being managed by Conditional Access, and the "Authorization" piece being managed, still, via permissions on site collections.  
I think you would want to use Conditional Access to enable network access based on location as determined by Who the User Is, and then, subsequently, use permissions to determine which Site Collections that person would have access to.  I struggle to see how  the same user identity would have different access to different site collection depending on where they are. I think having the one lever of conditional access to handle authentication and the second lever of permissions should be enough, shouldn't it?

I expect there will be more conversations around this, so I'd like to understand why conditional access at the site collection level would be a requirement. 
Thanks - 
Owen Allen,
Cloud Productivity TSP

Occasional Visitor

Owen, I would want to restrict some of my staff from accessing content when not at work. i.e. If working from home then I don't want them to be able to sync content to their home PC , or an Internet cafe etc...

 

If they are at work, then fine they should be able to access whatever content they have permission to access, but away from work then they should be prevented. For managers or C-Level, a less restrictive policy would be applied.

 

Thanks

 

New Contributor

Looking forward to trying this, but wish there was a better mobile solution with non-Intune customers.

Occasional Visitor

Owen,

On the conditional access per site collection, in a regulated environment, like Healthcare, there is certain types of information, like PHI, that we only want access to approved devices.  Therefore, for a site collection where they may want to collaborate on information containing PHI, you would want to restrict based on IP of certain companies, domain approved devices, or InTune managed devices.  This would include not being able to access the content from personal devices.  However, other site collections, one may want to allow personal device collaboration and broader external collaboration, like say one was collaborating on building plans or a community program.  Right now, the Azure AD Conditional access would cover the broader access to service offering, such as SharePoint or Power BI.  What is needed at SharePoint level is the control at the site collection level, like we have sharing control at site collection level (i.e., some site collections can be externally shared and others not).

Occasional Visitor

Our case for conditional access per site collection would be when we set up a site collection for use as an extranet with a client of ours, and they want to lock access to that down to our location and theirs.

Microsoft

Jason, Chuck, and Thomas - good ideas for scenarios, thank you. As a field technology person, I also have to deal with these scenarios with my customers. I agree, it will be nice when Conditional Access can support the granularity that you are looking for. 

Microsoft

Appreciate all the dialog aroundthis feature - we completely hear you on the potential to augmenht our scenarios with IP "blacklisting" and more granular sitre colection based controls.  We'll factor those in, and I encourage everyone to continue the suggestions over on http://sharepoint.uservoice.com Thanks!

Contributor

Hello Chris.

 

Is this feature enabled? I could not see this on our O365 SharePOint - Admin center.

 

Will this feature also added seprately in OneDrive Admin Preview?

 

AK

New Contributor

I see the option on the OneDrive Admin client but NOT the SPO Admin center.  It would be nice to be able to know when features are being enabled for our tenant.

Occasional Visitor

I don't see any option in SPO Admin Center either. We are on Gov Cloud.

Microsoft

It was released on 1/20 to First Release commercial and GCC tenants - adding @Sameer Yadav to the thread to comment on the GCC (GovCloud) question.  Thanks!

Microsoft

 Hi Brian and Robert - Could you try logging in once more into your SPO admin center and look for the device access tab, and you should see this network location based policy.   

New Contributor

@Sameer Yadav - just tried.  Nope.  It is there for OneDrive Admin but not SPO Admin.  

Occasional Visitor

 @Sameer Yadav - I see it now in SPO Admin center. 

 

@Chris McNulty - I emailed you the other day. Any update on session timeout settings in SPO as we discussed at SPTech Con in Boston last year?

Microsoft

Brian I havent seen the message - can you resend?  No timing I can share publicly but it is an active research and design area for us now.

Occasional Visitor

What if users using OneDrive outside the organization and they don't have fixed IP Addresses to be allowed ?

Occasional Visitor

Do we have an option to except one site from this rule ?

Occasional Visitor

We don't see this option in our admin panel.  Is this feature still being rolled out?  If so, is there any way to know approximately when it will available to us?  

 

Thanks!

Occasional Visitor

Hi,

 

Can we achive the control access based on ip location using private IP address range alone.?