access only on corp network

Not applicable

A quick question here for the community:

Requirement: No access to Office365 when outside the Corp network.

So we have adfs, and ca policies that i have played around with but the underlying problem is as follows:


1. User signs in to a Rich client - outlook on windows / mobile apps while on the Corp network.
2. User goes home/ basically of the corp network and is still signed in OR in other words not really restricted to just on "corp network"

With browsers, its fairly straight forward where a session expires and the next sign in would then follow the respective control , whether ADFS claim rules or CA policies.

The challenge here is with rich clients that use access and refresh tokens and stay signed in even outside the network.

Has anyone found an approach that Truly restricts access only on the Corp network/VPN?

1 Reply

The user should be blocked after about 60 minutes when the access token expires, even if they change networks.  Token lifetimes are configurable, so you can reduce that if you need to.  See this article: https://www.risual.com/2018/01/17/modern-authentication-tokens/