Home

Prevent users signing into O365 via browser outside of the office

%3CLINGO-SUB%20id%3D%22lingo-sub-202798%22%20slang%3D%22en-US%22%3EPrevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202798%22%20slang%3D%22en-US%22%3EHi%20all%2C%3CBR%20%2F%3EI'm%20investigating%20securing%20O365%20use%20%26amp%3B%20access%2C%20and%20hoping%20to%20save%20costs%20of%20licencing.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20way%2C%20outside%20of%20buying%20extra%20licences%20(e.g.%20EMS%20E3)%20or%20conditional%20access%2C%20to%20prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%20but%20still%20allow%20them%20to%20work%20normally%20in%20the%20office%20with%20normal%20installed%20Office%20apps%20and%20services%20(Outlook%2C%20Onedrive%2C%20SharePoint%20etc.)%3F%3CBR%20%2F%3EThe%20aim%20is%20to%20only%20buy%20extra%20licences%20for%20users%20who%20are%20approved%20to%20sign%20in%20to%20O365%20when%20outside%20of%20the%20office.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20that%20makes%20sense%2C%20any%20advice%20appreciated%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EThanks%2C%20Jezb%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-202798%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ebased%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eblock%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBrowser%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207205%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207205%22%20slang%3D%22en-US%22%3EYou%20have%20not%20mentioned%20your%20company%20size.%20ADFS%20ideally%20requires%20multiple%20servers%2C%20possible%20in%20more%20than%20one%20site%2C%20for%20HA%20and%20then%20DR.%20Also%20with%20application%20proxies%20(WAP%20server)%20to%20protect%20the%20ADFS%20requests%20from%20the%20internet.%20Each%20of%20these%20need%20load%20balancers%20and%20Windows%20Server%20licences.%20One%20reason%20for%20needing%20ADFS%20in%20the%20past%20was%20to%20block%20legacy%20auth%2C%20but%20that%20has%20just%20turned%20up%20in%20AAD%20Premium%201%20licences.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20that%20said%2C%20maybe%20AADP1%20licences%20are%20not%20as%20expensive%20as%20ADFS%2C%20and%20you%20get%20a%20load%20more%20with%20AAD%20than%20just%20your%20authentication%20platform.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203488%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203488%22%20slang%3D%22en-US%22%3EThanks%20Steve%2C%20I'll%20have%20a%20look%20at%20those%20as%20well.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203484%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203484%22%20slang%3D%22en-US%22%3EThanks%20Vasil%2C%20I'll%20look%20into%20that.%3CBR%20%2F%3EJez%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203168%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203168%22%20slang%3D%22en-US%22%3E%3CP%3EStrictly%20speaking%2C%20'SharePoint%20Limited%20Access'%20requires%20an%26nbsp%3BAzure%20Active%20Directory%20Premium%20P2%20license%20-%26nbsp%3B%20see%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fpricing%2Fdetails%2Factive-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fpricing%2Fdetails%2Factive-directory%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202984%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202984%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20sure%20if%20these%20new%20controls%20in%20SharePoint%20need%20you%20to%20have%20the%20licensing%20for%20AzureAD%20Premium%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fcontrol-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fcontrol-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202953%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20users%20signing%20into%20O365%20via%20browser%20outside%20of%20the%20office%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202953%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20don't%20want%20to%20pay%20for%20EMS%2C%20your%20only%20option%20is%20to%20use%20AD%20FS%20(or%20other%20type%20of%20federation)%20and%20configure%20restrictions%20via%20claims%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi all,
I'm investigating securing O365 use & access, and hoping to save costs of licencing.

Is there a way, outside of buying extra licences (e.g. EMS E3) or conditional access, to prevent users signing into O365 via browser outside of the office but still allow them to work normally in the office with normal installed Office apps and services (Outlook, Onedrive, SharePoint etc.)?
The aim is to only buy extra licences for users who are approved to sign in to O365 when outside of the office.

I hope that makes sense, any advice appreciated :)
Thanks, Jezb
6 Replies
Highlighted

If you don't want to pay for EMS, your only option is to use AD FS (or other type of federation) and configure restrictions via claims rules.

Highlighted

I'm not sure if these new controls in SharePoint need you to have the licensing for AzureAD Premium ?

 

https://support.office.com/en-us/article/control-access-from-unmanaged-devices-5ae550c4-bd20-4257-84...

 

 

Highlighted

Strictly speaking, 'SharePoint Limited Access' requires an Azure Active Directory Premium P2 license -  see https://azure.microsoft.com/en-gb/pricing/details/active-directory/

Highlighted
Thanks Vasil, I'll look into that.
Jez
Highlighted
Thanks Steve, I'll have a look at those as well. :)
Highlighted
You have not mentioned your company size. ADFS ideally requires multiple servers, possible in more than one site, for HA and then DR. Also with application proxies (WAP server) to protect the ADFS requests from the internet. Each of these need load balancers and Windows Server licences. One reason for needing ADFS in the past was to block legacy auth, but that has just turned up in AAD Premium 1 licences.

So that said, maybe AADP1 licences are not as expensive as ADFS, and you get a load more with AAD than just your authentication platform.