Jul 12 2019
08:47 PM
- last edited on
Feb 01 2023
09:36 AM
by
TechCommunityAP
Jul 12 2019
08:47 PM
- last edited on
Feb 01 2023
09:36 AM
by
TechCommunityAP
Dear Folks,
Here I am back with a questionnaire a tricky one this time,
My scenario is based upon the Conditional Access for Location Based Access Control over Cloud Apps:
Suppose Customer is looking for a solution to block the Outlook (Exchange Online Only) Location wise where internal organisation will have a access of Exchange Online but outside organisation it must get blocked!!
NOTE: Customer is not looking for third party or Azure AD Premium as it is very expensive for them and also customer's only need is to block the Exchange online only mails access from outside the Organisation not any other services of O365.
Whether it is possible with O365 itself? If yes is there any relevant document for it?
Jul 13 2019 01:50 AM
Hi @Mitul Sinha,
You can do with ADFS, please read more here https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2...
Best Regards,
Nuno Árias Silva
My Office 365 Essentials Book - https://www.nuno-silva.net/book-office-365-essentials
Jul 13 2019 05:14 AM - edited Jul 13 2019 08:01 AM
Hi Mitul,
Whilst, as Nino said, you can do this with ADFS and it’s a 100% legitimate answer I wouldn’t recommend this as it’s likely to be more expensive due to the cost of the servers (if you want it highly available), the added technical complexity and the fact that Microsoft no longer recommend ADFS over AAD Connect - they see it as a legacy solution.
Conditional access is the easiest and best way here. Typically, here in the UK it’s positioned that not every person in the organisation needs to have it so it’s very unusual for all to need to use an AAD premium licence. Plus, it is also about the other features of AAD premium such as application SSO. The organisation has to also see the cost of data leakage and an internal attack then will realise that AAD premium is in fact very cheap.
So I would compare both the cost of data leakage and the cost of ADFS as Nino suggested and the AAD Premium should win out. Another potential option is, if they had Business Premium, to go to Microsoft 365 Business as Conditional Access has been added recently - they would get the upside of Windows 10 Business and Intune alongside the benefit of Conditional Access.
In terms of paying nothing at all, then they would get location based conditional access and there is no way - as far as I know to work around it.
Hope that answers your question!
Best, Chris
Jul 13 2019 08:22 AM
Jul 13 2019 08:26 AM
Jul 14 2019 07:19 AM
Hi @Mitul Sinha,
Is always advised to have conditional access based on Office 365, because you do not need to maintain on-prem infrastructure.
You will need to compare costs and also (redundancy of servers, Internet connectivity, maintenance and support) and after all you can decide what is the better solution based on costs and benefits of each other.
Jul 14 2019 10:47 PM
SolutionIf it's only Exchange you want to restrict, and you don't want to do it via CA policies, you can take a look at using Client Access Rules: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...
Or do it via Claims rules on AD FS side.
Jul 15 2019 02:05 AM
Jul 15 2019 02:09 AM
Jul 14 2019 10:47 PM
SolutionIf it's only Exchange you want to restrict, and you don't want to do it via CA policies, you can take a look at using Client Access Rules: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...
Or do it via Claims rules on AD FS side.