Restrict Access to Site

%3CLINGO-SUB%20id%3D%22lingo-sub-2790155%22%20slang%3D%22en-US%22%3ERestrict%20Access%20to%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790155%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20using%20Sharepoint%20Online%20(SPO)%20with%20M365%20E5%20licenses.%20Our%20company%20is%20very%20risk%20adverse.%26nbsp%3BCurrently%20we%20restrict%20access%20to%20SPO%20using%20AzureAD%20conditional%20access%20and%20restrict%20to%20our%20corporate%20IP%20address%20range.%20We%20now%20have%20a%20use%20case%20to%20allow%20usage%20of%20one%20site%20from%20outside%20this%20range%20by%20organizational%20accounts%20(non-guest%20users).%20This%20site%20is%20not%20using%20Power%20Platform%20integrations%20like%20Power%20Automate%20etc.%20I'm%20wondering%20how%20I%20can%20accomplish%20this%3F%20The%20site%20that%20we%20require%20to%20be%20used%20from%20Outside%20the%20corporate%20network%20is%20accessed%20by%20users%20who%20%3CSTRONG%3Ealso%3C%2FSTRONG%3E%20use%20other%20sites%20that%20we%20want%20restricted%20to%20the%20corporate%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ESince%20AzureAD%20conditional%20access%20works%20at%20the%20Office365%20level%20I%20can't%20see%20how%20that%20can%20be%20used.%3C%2FLI%3E%3CLI%3ESPO%20seems%20to%20have%20it's%20own%20Network%20Access%20policy%20but%20this%20applies%20at%20the%20SPO%20level%20and%20not%20site%20level.%20Is%20it%20possible%20to%20override%20this%20at%20a%20site%20level%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2790155%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790649%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Access%20to%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790649%22%20slang%3D%22en-US%22%3ETake%20a%20look%20at%20Sensitivity%20Labels%20applied%20to%20container%20%2B%20authentication%20context%20with%20Conditional%20Access%3C%2FLINGO-BODY%3E
Contributor

I'm using Sharepoint Online (SPO) with M365 E5 licenses. Our company is very risk adverse. Currently we restrict access to SPO using AzureAD conditional access and restrict to our corporate IP address range. We now have a use case to allow usage of one site from outside this range by organizational accounts (non-guest users). This site is not using Power Platform integrations like Power Automate etc. I'm wondering how I can accomplish this? The site that we require to be used from Outside the corporate network is accessed by users who also use other sites that we want restricted to the corporate network.

 

  1. Since AzureAD conditional access works at the Office365 level I can't see how that can be used.
  2. SPO seems to have it's own Network Access policy but this applies at the SPO level and not site level. Is it possible to override this at a site level?

 

 

 

3 Replies
Take a look at Sensitivity Labels applied to container + authentication context with Conditional Access
Do sensitivity labels not only apply to MS document types though?
No, you can use them on containers now as well (groups, sites) and with the Authentication context (in preview) you can be granular in a way you previously couldn't. So connect the context with conditional access policy and add it to your sensitivity label/s, or even use them with MCAS if you want to go that way.

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view...

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...