access only on network

Highlighted
Deleted
Not applicable

A quick question here for the community:

Requirement: No access to Office365 when outside the Corp network.

So we have adfs, and ca policies that i have played around with but the underlying problem is as follows:

 

1. User signs in to a Rich client - outlook on windows / mobile apps while on the Corp network.
2. User goes home/ basically of the corp network and is still signed in OR in other words not really restricted to just on "corp network"

With browsers, its fairly straight forward where a session expires and the next sign in would then follow the respective control , whether ADFS claim rules or CA policies.

The challenge here is with rich clients that use access and refresh tokens and stay signed in even outside the network.

Has anyone found an approach that Truly restricts access only on the Corp network/VPN?

1 Reply
Highlighted

Generally speaking, conditional access (when used with the location condition) should invalidate tokens. One thing you can try is reduce the token lifetime, as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

This method will soon go away though, so maybe wait a bit for the replacement.