Conditional Access in SharePoint Online and OneDrive for Business
Published Feb 16 2017 06:03 PM 32.2K Views
Microsoft

@williambaer

 

The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user.  Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.

 

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

 

SharePoint Online and OneDrive for Business are uniquely positioned to respond to today’s evolving security challenges.  As a first step to providing administrators security and control in a mobile and connected world are conditional access policies.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device.  Conditional access policies with SharePoint and OneDrive allow administrators define policies that provide contextual controls at the user, location, device, and app levels.

 

In January we made available to First Release Tenants location-based policies which allow administrators to limit access to content from defined networks.  These policies ensure content can only be access when someone is connected to the defined network, denying access outside of that boundary – whether the content is access via a browser, application, or mobile app.

 

Configuring Location-Based Policies

To configure location-based policies:

 

Navigate to the SharePoint Admin Center in Office 365 and select device access from the list of available options (see illustration).

 

SettingsConditionalAccess.png

On the Restrict access based on device or network location page navigate to Control access based on network location and specify a range of allowed IP addresses (see illustration).

 

DevicePolicy.png

 

In scenarios where an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, this policy is prioritized, followed by the SharePoint policy; however, the specified ranges should not be in conflict of one another.  To learn more about conditional access in Azure Active Directory see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access.

 

Conditional access policies are just one of a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time.  To learn more about how Office 365 safeguards your data while increasing employee productivity see https://www.microsoft.com/en-us/trustcenter/cloudservices/office365.

 

FaQ

Q: Is location-based policy limited to SharePoint Online and OneDrive for Business?
A: Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups.

Q:  Is location-based policy available to E3?
A:  Yes.  Location-based policy is available to E3 Tenants?

Q:  Does location-based policy require Azure Active Directory Premium?
A:  No, location-based policy does not require Azure Active Directory Premium.

9 Comments
Iron Contributor

I'm hesitant to test this feature and wanted to ask if you could clarify something.

 

The default text in the still empty textarea says at the end: "Please double check your current IP address before saving to ensure you are not locked out."
I'm not 100% sure what area I would be locked out of. My interpretation and worst case guess is that "locked out" is implying a non-reversible setting by also applying the access control to the Admin Center - otherwise there would be no "locked out" situation.

 

I see three indicators that the Admin Center is not affected by this setting.
1) Text in the subheader of the configuration page: "These settings apply to content in SharePoint, OneDrive and Office 365 gorups."
2) Text in your post above: "These policies ensure content can only be access when someone is connected to the defined network" - assuming by "content" you are referring to the same content referred to in the subheader of the configuration page.
3) 1st FAQ in your post above: "Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups."

 

Those three indicators lead me to believe that the Admin Center is not affected by this.
Then again: If this is the case then there it is impossible to lock myself out of anything.

 

I would appreciate if you could clarify this little detail before I'll go ahead and test this ;)

 

Thanks & Cheers

Microsoft

@Johannes Weiser As a Tenant Administrator you will want to use caution when configuration location-based policy so that the IP range of your machine is not included in the policy.  IP address ranges configured in policy are strictly enforced, so entering a range that doesn’t include your machine will lock out the admin session.  In the event this happens, please contact support to reestablish connectivity.

Iron Contributor

@Bill Baer Thanks for clarifying that not only content but the admin center itself is also affected by this! I'll definitely make sure to use caution when configuring this policy.

Copper Contributor

Hi I'm assuming Azure Application Gateway (reverse proxy as well as third-party reverse proxies (e.g. F5)) is also an option to perform IP white-listing?

Copper Contributor
Hi there, thanks for this article. I am confusing about the IP, can I use an internal IP to set the rules(like 192.168.1.155)? Or do I need to fill with a public IP address(like 202.113.11.154)?
Copper Contributor

Hi there,

 

Can location-based policy be set at the user level?  

Is this policy also enforced when users attempt access through Sharepoint Mobile?  

 

Many thanks for your help.

 

Iron Contributor

We have turned this feature on, and unfortunately it blocks several backend connections to other services and products such as Flow and SharePoint 2013 Workflows. There is no telling what other services this is affecting. An article here (https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...), seems like it would be useful in providing the proper IP Addresses to make sure all O365 services are still working, but we have tried adding from the full XML list here and the SharePoint 2013 Workflows continue to be broken.

Copper Contributor

@Bill Baer  Can location-based policy be set at the user level?  

Is this policy also enforced when users attempt access through Sharepoint Mobile?  

 

Many thanks for your help.

Copper Contributor

 

 

Version history
Last update:
‎Apr 28 2018 11:56 AM
Updated by: