Azure AD Conditional Access

Iron Contributor

I am a Office 365 customer who wants to restrict access to the Office 365 portal outside of the Intranet and for certains groups only (using known Trusted IPs).


Blocking entire access to the Office 365 portal is not possible via the classic azure portal.


The expected behaviour of using conditional access is at a per application level which works and requires a relevant licence.


In order to block the entire Office 365 portal, I ended up using the Azure AD Preview console.


Doing so appears to work without the need to apply either a EMS or Azure AD Premium licence.


Conditonal Access is normally part of either EMS or Azure AD Premium.



Can anyone provide some clarification on this feature and the licence stance?


When I opened a call with Office 365 support, they said that they had not come accross it at all and could not help me as it is Azure related.


Aplogies if I have incorrectly posted my question here.


3 Replies

Not sure I understand how you blocked access?

Hi Visil,


I ended up creating 2 rules, one to Deny and one to Allow.


Deny Rule


  • Include - All Users
  • Exclude - Allowed User group

Cloud Apps

  • All Cloud Apps


  • Location
    • Include All locations
    • Exclude Trusted IPs
  • Client Apps
    • Browser


  • Block Access


Allow Rule

Effectively the reverse of the above.


I suspect because this is in Preview, licence enforcement will take place at some point.



Oh, got it, I thought you meant Azure AD PowerShell module (that's what I call console :)). Yes, I wouldnt bet on this method being available for free.