Introducing Conditional Access by Network Location for SharePoint and OneDrive for Business
Published Jan 13 2017 11:57 PM 52.5K Views
Microsoft

As showcased at Ignite in September 2016, we are bringing network location-based conditional access policy to SharePoint and OneDrive for Business to First Release starting 20 January 2017.

 

CloudSecurity.png

This policy can help prevent data leakage and can help meet regulatory requirements to prevent access from untrusted networks. IT administrators can limit access to specific network ranges from the SharePoint Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary (using web browser, desktop app, or mobile app on any device) will be blocked.


These policies will be available to all First Release commercial & GCC tenants, and will not require additional licensing.


Administrative Experience
Administrators need to be careful that any network ranges include the IP address of their current machine. IP address ranges are strictly enforced, so entering a range that doesn’t include the administrator’s machine will lock out the admin session. If this happens, please contact support to reestablish connectivity.


By default, this policy is off. No restrictions at all will be enforced by SharePoint if this policy is left unconfigured. Configuration of this policy is completely optional.

 

If an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, the AADP whitelist is interpreted first, followed by the SharePoint policy. As result, a SharePoint administrator may choose to apply a policy which is more restrictive than that defined in AADP. However, a SharePoint administrator cannot enable access to an IP address range that is also prohibited by AADP.
LocationPolicy.jpg
Admin experience in the SharePoint Online admin console.

 

Finally, the SharePoint policy applies to all SharePoint services in the Office 365 tenant, including OneDrive for Business.


User Experience
All user access from inside the whitelisted address ranges will proceed as normal. However, users attempting to access SharePoint and OneDrive workloads from outside the white list will be blocked.
LocationBlocked.jpg
User experience when accessing SharePoint from a prohibited location.

 

Location based conditional restrictions, when enforced, also prevent file offline sync via the OneDrive clients. In general, if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely to prevent any content from leaving known network locations on remote devices. These policies prevent live access to SharePoint and OneDrive; however, they do not automatically detect if downloaded or offline synchronized content is on a client device which travels to a network outside the whitelisted range.

 

We’re excited about our new conditional access policies, and look forward to rolling out even more in the coming months, Thank you.

 

Frequently Asked Questions (FAQ)
Q. How will these policies affect access to other Office 365 services, such as Exchange?
A. There is not direct impact on any non-SharePoint services in Office 365. However, for collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist.

 

Q. Are conditional access policies by location available to government tenants?
A. Yes, these policies are available in the GCC cloud. We anticipate releasing these policies to other sovereign clouds later in 2017.

 

Q. Do these policies require additional licensing to enable the use of Azure Active Directory Premium or Office 365 E5?
A. No, these policies do not require those services or any additional licensing. If a customer is not using Azure Active Directory Premium, SharePoint policies will work as described to enable and/or prevent access based on network location.

 

Q. How do these policies affect access to on premises installation of SharePoint Server?
A. These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies.

49 Comments
Deleted
Not applicable

 Nice feature seems January is a busy month with new updates arriving :)

Love the fact that you've made this availabile without requiring any additional licensing. I've been playing with it (well the PowerShell cmdlet) for a while now, works as advertised :)

 

 

Microsoft

We have done POC with many customers here in Pakistan and they are looking forward to deploy this feature very soon after the final release.

Brass Contributor

Our needs would be more granular.  It's hard to work with vendors/clients when you can't do this by site collection, for example.

Deleted
Not applicable

I have to imagine this just made a lot of my regulated customers happy.

Brass Contributor

Great feature! Hopefully this heralds a future iteration that allows for more granular control - at site collection level for example. Our ideal would be to provide a solution for our more sensitive data but not at the expense of preventing anytime/anywhere access to other content.

This is great news for regulated customers trying to implement a mobile strategy. 

Steel Contributor

Does anyone know where the setting is for this? "if your tenant contains content so sensitive it shouldn’t be viewed outside known networks, we would advise disabling sync entirely"

Is this a powershell command or how is this achieved?

Copper Contributor

Where do you configure the new feature "conditional access by network location"? 

Copper Contributor

We may need the way to opt-out / edit this option in case incorrect IP range was set. Once you press <Save> with incorrect IP range, you may never be able to make a correction against it because you yourself will be rejected to access the admin console.

 

- Another warning dialog should be required when you press <Save> on the console, if you enable [Control access based on location] option.
- There should be admin-only URL so that the admin can edit IP range settings in case incorrect value was set.

Copper Contributor

You can configure the "conditional access by network location" option at [Device Access] page in https://admin.onedrive.com/ after signing in to Office 365 as a company administrator.

Microsoft

For those who are looking for mroe granular options, i.e. by Site Collection, why would that make a difference? I'm trying to figure this out with a few of my customers, and I'm stuck on the "Authentication" piece being managed by Conditional Access, and the "Authorization" piece being managed, still, via permissions on site collections.  
I think you would want to use Conditional Access to enable network access based on location as determined by Who the User Is, and then, subsequently, use permissions to determine which Site Collections that person would have access to.  I struggle to see how  the same user identity would have different access to different site collection depending on where they are. I think having the one lever of conditional access to handle authentication and the second lever of permissions should be enough, shouldn't it?

I expect there will be more conversations around this, so I'd like to understand why conditional access at the site collection level would be a requirement. 
Thanks - 
Owen Allen,
Cloud Productivity TSP

Copper Contributor

Owen, I would want to restrict some of my staff from accessing content when not at work. i.e. If working from home then I don't want them to be able to sync content to their home PC , or an Internet cafe etc...

 

If they are at work, then fine they should be able to access whatever content they have permission to access, but away from work then they should be prevented. For managers or C-Level, a less restrictive policy would be applied.

 

Thanks

 

Copper Contributor

Looking forward to trying this, but wish there was a better mobile solution with non-Intune customers.

Copper Contributor

Owen,

On the conditional access per site collection, in a regulated environment, like Healthcare, there is certain types of information, like PHI, that we only want access to approved devices.  Therefore, for a site collection where they may want to collaborate on information containing PHI, you would want to restrict based on IP of certain companies, domain approved devices, or InTune managed devices.  This would include not being able to access the content from personal devices.  However, other site collections, one may want to allow personal device collaboration and broader external collaboration, like say one was collaborating on building plans or a community program.  Right now, the Azure AD Conditional access would cover the broader access to service offering, such as SharePoint or Power BI.  What is needed at SharePoint level is the control at the site collection level, like we have sharing control at site collection level (i.e., some site collections can be externally shared and others not).

Copper Contributor

Our case for conditional access per site collection would be when we set up a site collection for use as an extranet with a client of ours, and they want to lock access to that down to our location and theirs.

Microsoft

Jason, Chuck, and Thomas - good ideas for scenarios, thank you. As a field technology person, I also have to deal with these scenarios with my customers. I agree, it will be nice when Conditional Access can support the granularity that you are looking for. 

Microsoft

Appreciate all the dialog aroundthis feature - we completely hear you on the potential to augmenht our scenarios with IP "blacklisting" and more granular sitre colection based controls.  We'll factor those in, and I encourage everyone to continue the suggestions over on http://sharepoint.uservoice.com Thanks!

Brass Contributor

Hello Chris.

 

Is this feature enabled? I could not see this on our O365 SharePOint - Admin center.

 

Will this feature also added seprately in OneDrive Admin Preview?

 

AK

Copper Contributor

I see the option on the OneDrive Admin client but NOT the SPO Admin center.  It would be nice to be able to know when features are being enabled for our tenant.

Copper Contributor

I don't see any option in SPO Admin Center either. We are on Gov Cloud.

Microsoft

It was released on 1/20 to First Release commercial and GCC tenants - adding @Sameer Yadav to the thread to comment on the GCC (GovCloud) question.  Thanks!

Microsoft

 Hi Brian and Robert - Could you try logging in once more into your SPO admin center and look for the device access tab, and you should see this network location based policy.   

Copper Contributor

@Sameer Yadav - just tried.  Nope.  It is there for OneDrive Admin but not SPO Admin.  

Copper Contributor

 @Sameer Yadav - I see it now in SPO Admin center. 

 

@Chris McNulty - I emailed you the other day. Any update on session timeout settings in SPO as we discussed at SPTech Con in Boston last year?

Microsoft

Brian I havent seen the message - can you resend?  No timing I can share publicly but it is an active research and design area for us now.

Copper Contributor

What if users using OneDrive outside the organization and they don't have fixed IP Addresses to be allowed ?

Copper Contributor

Do we have an option to except one site from this rule ?

Copper Contributor

We don't see this option in our admin panel.  Is this feature still being rolled out?  If so, is there any way to know approximately when it will available to us?  

 

Thanks!

Copper Contributor

Hi,

 

Can we achive the control access based on ip location using private IP address range alone.?

Microsoft

How's it going on Private IP?

Is there any requirement about IP addresses?

 

Copper Contributor

Does anyone have any updates / news about restricting access based on network location by site collection?  It's not usable by our company in it's current implementation.  Ideally, we'd have a sharepoint online site collection similar to an internal file server.  That would be restricted based on our network ip range at the office.  

 

However, we also want to be able to use sharepoint to collaborate and share externally so we would have different site collections for this with different access restrictions.

 

Right now, it's an all or nothing approach.  

Brass Contributor

I agree, this is still a large need for us, and it prevents us from using SharePoint Online to collaborate with some of our clients who require it.

Copper Contributor

This seems to break a lot of functionality for me. And my assigned support rep has been able to recreate in his environment also. When IP restrictions are on, Onenote can't provision the default notebooks, and and for users with a notebook has a nag banner about that in the webclient all the time. Also users are "timed out" of editing documents after 3-8min in the webclient whenever IP restrictions are on.

Copper Contributor

Is it possible to restrict one particular SharePoint online Team site with IP address range? Other sites can be opened anywhere.

Brass Contributor

Hi - can we have an update on the general thinking with this feature and whether or not it might be introduced at site collection level? I'm prompted by the post 5 hours ago about site collection specific IP restrictions. This was hinted/discussed a fairly long time ago and would be an excellent feature that would help address lots of security issues for us. Something similar already exists for external sharing restrictions which can be both at tenant and site collection level.

For example, we have a current project where we will be creating some planning, analysis and evidence capture artifacts in a particular site collection. This site collection will be accessed from a finite number of sites and on occasion by staff using VPN solutions such that an IP restriction would be of significant advantage and allow us to rely on both the physical security of the associated locations as well as device security of the associated networks. We don't have the same requirement for other content and IP range restrictions would be a burden rather than an advantage for all other site collections.

Copper Contributor

Any plans to make this restriction available at the site level?

Brass Contributor

Dear Friends, I need o activate the internal network access only. Anyone from outside our network shouldn't be able to access share point or one drive. My company Ip range is 172.16.1.5 to 172.16.1.254. Can anyone help to solve how to enter the details. I tried but gettig error as shown in the below image.

SharePoint admin center — Mozilla Firefox.jpg

Copper Contributor

Do you need only to enter the ip's of the internal LAN? So not the public ip addresses??

 

Plus @jabbarsh you /24 overlaps the single ip you've put in there.

 

 

Brass Contributor

Dear Nick_DS, Very much appreciated your response.
Do you need only to enter the IP's of the internal LAN? Yes I would like to enter the IP range, so that our staffs can only access this when they are at office only. How do I enter the IP range if possible and in which format?.

Copper Contributor

@jabbarsh Actually that was a question for me ? :)

Do I just need to enter the ip's of the internal LAN? Or the public ip addresses as well?? Or only the public ip addresses?

 

 

@jabbarsh for a whole LAN Range like 172.16.1-.254, you can use 172.16.1.0/24

For 16.5-.254, that does not exist I think.

 

 

Brass Contributor

@jabbarsh Actually that was a question for me ? :) Sorry :)

Do I just need to enter the ip's of the internal LAN? yes exactly.

 

"@jabbarsh for a whole LAN Range like 172.16.1-.254, you can use 172.16.1.0/24

For 16.5-.254, that does not exist I think."

 

I tried whit this - "172.16.1.0/24" and it throws an error which says -"Make sure the IP addresses and ranges are separated by commas, use CIDR notation, and don't overlap. Also make sure you allow your current IP address."

Copper Contributor

@jabbarsh Actually that was a question for me ? :) Sorry :)

Do I just need to enter the ip's of the internal LAN? yes exactly.

 

So, if a hacker on the other side of the world has the same local ip range, he CAN just access it??  Then where the **bleep** is the security??

 

And what would happen if you just enter 172.16.1.0 

so without the /24 (alltough that is the correct CIDR I would guess)

 

Brass Contributor

ok, So tell me how can I set this up. Please guide in this.

Copper Contributor

I tried using 192.168.1.0 AND 192.168.1.0/24

 

but then the users were blocked anyhow...

 

I opened a ticket with Microsoft, but it looks as even they don't know how to do it.....

 

Copper Contributor

It will not work on internal IPs. It has to be public IP. 

Copper Contributor

Ok so I added only the public ip addresses and then it seems to work better. I added like 7 different adresses in the form of 55.55.55.55/32

Now lets say

location A has public ip address 81.82.233.5

location B has public ip address 81.82.245.8

There is a also an ipsec tunnel between those location because of the presence of a local NAS at one location.

 

But at location A it lets them ALLOW to work/open the documents in Teams and also in Sharepoint, but it does not allow the users to create a new Team, nor can they move documents from ?!?

When they make an openvpn connection to location B, it DOES work ????

 

Copper Contributor

Sorry, was too fast to submit:

But at location A it lets them ALLOW to work/open the documents in Teams and also in Sharepoint, but it does not allow the users to create a new Team, nor can they move documents from one team to another and changing the names of the documents is not possible either?!?

When they make an openvpn connection to location B, it all DOES work ????

 

But, even stranger.

The person at location B cannot do those operation either.

However the person at location HAS automatically ip 81.82.245.8  and when the person from location A is connected to the openvpn the ip is also 81.82.245.8

 

WTF ??

 

Copper Contributor

update:  I have a server at location B with hyper-V and a vm with windows 10; if I log in with the same user, it DOES work fine....

Both are added to "endpoint manager", so no difference in that.

 

 

my head is going to explode :)

 

Version history
Last update:
‎Jan 24 2017 12:10 PM
Updated by: