Limit access to Office 365 from internet

%3CLINGO-SUB%20id%3D%22lingo-sub-271923%22%20slang%3D%22en-US%22%3ELimit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271923%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20a%20solution%20to%20limit%20access%20to%20Office%20365%20(Exchange%2C%20OneDrive%2C%20...)%20from%20the%20internet.%20I%20don't%20want%20that%20users%20can%20read%20or%20send%20mails%20from%20outside%20the%20company%20but%20when%20they%20are%20on%20premise%2C%20it's%20okay.%20As%20usual%20there%20is%20some%20exceptions%20%3A%20certain%20users%20should%20access%20their%20mails%20from%20internet.%20Internet%20access%20must%20be%20secure%20with%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20already%20made%20some%20research%20and%20it%20seems%20that%20there%20is%202%20options%20for%20me%20%3A%3C%2FP%3E%3CP%3E-%20Azure%20AD%20Conditional%20access%20(require%20a%20premium%20license)%3C%2FP%3E%3CP%3E-%20ADFS%20conditional%20access%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20still%20have%20some%20questions%20%3A%3C%2FP%3E%3CP%3E1)%20Can%20I%20achieve%20my%20goal%20with%20both%20options%20%3F%3C%2FP%3E%3CP%3E2)%20Is%20there%20any%20other%20solution%20to%20achieve%20my%20goal%20%3F%3C%2FP%3E%3CP%3E3)%20Currently%2C%20there%20is%20an%20hybrid%20Exchange%20with%20Azure%20AD%20Connect%20set%20up%2C%20is%20it%20compatible%20with%20conditionals%20access%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-271923%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272134%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272134%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20to%20make%20sure%20you%20understand%20the%20process%20correctly%2C%20both%20Azure%20AD%20CA%20and%20AD%20FS%20claims%20rules%20only%20restrict%20the%20authentication.%20If%20the%20user%20authenticates%20in%20your%20%22internal%22%20network%20and%20gets%20his%20laptop%20home%2C%20he%20will%20still%20be%20able%20to%20happily%20access%20messages%20until%20the%20token%20expires%2C%20which%20can%20be%20a%20very%20long%20time%20in%20general.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20only%20want%20to%20block%20access%20to%20email%2C%20Client%20Access%20Rules%20in%20Exchange%20Online%20might%20be%20a%20better%20match.%20They%20are%20enforced%20at%20the%20Exchange%20server%20layer%2C%20and%20evaluated%20every%20time%20the%20client%20%22talks%22%20to%20the%20server.%20However%2C%20in%20general%20they%20aren't%20as%20robust%20as%20CA%20policies%20are.%20Here's%20the%20documentation%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271965%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271965%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20use%20Azure%20AD%20CA%20for%20this%20yes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271952%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271952%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20said%2C%20there%20is%20an%20Hybrid%20Exchange%20configuration%20and%20all%20mailboxes%20are%20hosted%20on%20Exchange%20Online.%3C%2FP%3E%3CP%3ESo%20to%20manage%20access%20to%20these%20mailboxes%2C%20I%20have%20to%20use%20Azure%20AD%20CA%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271933%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20access%20to%20Office%20365%20from%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271933%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3ENot%20really!%20ADFS%20CA%20is%20for%20internal%20resources%2C%20and%20Azure%20AD%20CA%20is%20for%20cloud%20resources%3C%2FP%3E%3CP%3EYou%20can%20use%20a%20connector%20for%20exchange%20locally%20and%20use%20Azure%20CA%20though%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello,

 

I'm looking for a solution to limit access to Office 365 (Exchange, OneDrive, ...) from the internet. I don't want that users can read or send mails from outside the company but when they are on premise, it's okay. As usual there is some exceptions : certain users should access their mails from internet. Internet access must be secure with MFA.

 

I've already made some research and it seems that there is 2 options for me :

- Azure AD Conditional access (require a premium license)

- ADFS conditional access

 

But I still have some questions :

1) Can I achieve my goal with both options ?

2) Is there any other solution to achieve my goal ?

3) Currently, there is an hybrid Exchange with Azure AD Connect set up, is it compatible with conditionals access ?

 

Thank you for your answer.

 

4 Replies
Highlighted

Hi!

Not really! ADFS CA is for internal resources, and Azure AD CA is for cloud resources

You can use a connector for exchange locally and use Azure CA though

 

Highlighted

Hello,

 

Thank you for your answer.

 

As I said, there is an Hybrid Exchange configuration and all mailboxes are hosted on Exchange Online.

So to manage access to these mailboxes, I have to use Azure AD CA ?

Highlighted

You use Azure AD CA for this yes

Highlighted

Just to make sure you understand the process correctly, both Azure AD CA and AD FS claims rules only restrict the authentication. If the user authenticates in your "internal" network and gets his laptop home, he will still be able to happily access messages until the token expires, which can be a very long time in general.

 

If you only want to block access to email, Client Access Rules in Exchange Online might be a better match. They are enforced at the Exchange server layer, and evaluated every time the client "talks" to the server. However, in general they aren't as robust as CA policies are. Here's the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...