As showcased at Ignite in September 2016, we are bringing network location-based conditional access policy to SharePoint and OneDrive for Business to First Release starting 20 January 2017.
This policy can help prevent data leakage and can help meet regulatory requirements to prevent access from untrusted networks. IT administrators can limit access to specific network ranges from the SharePoint Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary (using web browser, desktop app, or mobile app on any device) will be blocked.
These policies will be available to all First Release commercial & GCC tenants, and will not require additional licensing.
Administrative Experience
Administrators need to be careful that any network ranges include the IP address of their current machine. IP address ranges are strictly enforced, so entering a range that doesn’t include the administrator’s machine will lock out the admin session. If this happens, please contact support to reestablish connectivity.
By default, this policy is off. No restrictions at all will be enforced by SharePoint if this policy is left unconfigured. Configuration of this policy is completely optional.
If an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, the AADP whitelist is interpreted first, followed by the SharePoint policy. As result, a SharePoint administrator may choose to apply a policy which is more restrictive than that defined in AADP. However, a SharePoint administrator cannot enable access to an IP address range that is also prohibited by AADP.
Admin experience in the SharePoint Online admin console.
Finally, the SharePoint policy applies to all SharePoint services in the Office 365 tenant, including OneDrive for Business.
User Experience
All user access from inside the whitelisted address ranges will proceed as normal. However, users attempting to access SharePoint and OneDrive workloads from outside the white list will be blocked.
User experience when accessing SharePoint from a prohibited location.
Location based conditional restrictions, when enforced, also prevent file offline sync via the OneDrive clients. In general, if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely to prevent any content from leaving known network locations on remote devices. These policies prevent live access to SharePoint and OneDrive; however, they do not automatically detect if downloaded or offline synchronized content is on a client device which travels to a network outside the whitelisted range.
We’re excited about our new conditional access policies, and look forward to rolling out even more in the coming months, Thank you.
Frequently Asked Questions (FAQ)
Q. How will these policies affect access to other Office 365 services, such as Exchange?
A. There is not direct impact on any non-SharePoint services in Office 365. However, for collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist.
Q. Are conditional access policies by location available to government tenants?
A. Yes, these policies are available in the GCC cloud. We anticipate releasing these policies to other sovereign clouds later in 2017.
Q. Do these policies require additional licensing to enable the use of Azure Active Directory Premium or Office 365 E5?
A. No, these policies do not require those services or any additional licensing. If a customer is not using Azure Active Directory Premium, SharePoint policies will work as described to enable and/or prevent access based on network location.
Q. How do these policies affect access to on premises installation of SharePoint Server?
A. These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies.