Controlling external access to O365

In some scenarios you may want to control how you need to authenticate and also if the service is allowed to be accessed outside of the Company.

Over the last weeks Microsoft has been rolling out some features in preview for Azure AD. With this new functionality you can control granular authentication levels per service.

  • Outlook Web access
  • SharePoint Online and OneDrive

So say you only want to allow OWA outside of the Company with two-factor authentication while SharePoint and OneDrive should be blocked you can now test that scenario in preview.

So to test this out you can follow the steps below

  1. Logon to https://manage.windowsazure.com
  2. Select your AAD AAD_1
  3. Go to your Applications Tab
  4. Select the Application you want Office 365 Exchange Online for an example AAD_2
  5. On the top select Configure, and Enable the Access Rules and then choose your desired behavior, when using the work based rules, you need to define your work locations. AAD_3
  6. Defining your work locations is done by clicking on the link at the bottom.
  7. On the Trusted IPs section, you need to define your IP Addressed that shall be seen as your work locations, here you need to define your public IP Addresses. More on that you can read here: https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#trusted-ips AAD_4
  8. And then when we want to block SharePoint and OneDrive you create a block rule for SharePoint Online.

AAD_5

End users that are trying to access a service that is blocked will get this message when they try to access it.

blocked_access_aad_worklocation

 

Leave a Comment

Your email address will not be published. Required fields are marked *