EMS

Controlling external access to O365

In some scenarios you may want to control how you need to authenticate and also if the service is allowed to be accessed outside of the Company.

Over the last weeks Microsoft has been rolling out some features in preview for Azure AD. With this new functionality you can control granular authentication levels per service.

  • Outlook Web access
  • SharePoint Online and OneDrive

So say you only want to allow OWA outside of the Company with two-factor authentication while SharePoint and OneDrive should be blocked you can now test that scenario in preview.

So to test this out you can follow the steps below

  1. Logon to https://manage.windowsazure.com
  2. Select your AAD AAD_1
  3. Go to your Applications Tab
  4. Select the Application you want Office 365 Exchange Online for an example AAD_2
  5. On the top select Configure, and Enable the Access Rules and then choose your desired behavior, when using the work based rules, you need to define your work locations. AAD_3
  6. Defining your work locations is done by clicking on the link at the bottom.
  7. On the Trusted IPs section, you need to define your IP Addressed that shall be seen as your work locations, here you need to define your public IP Addresses. More on that you can read here: https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#trusted-ips AAD_4
  8. And then when we want to block SharePoint and OneDrive you create a block rule for SharePoint Online.

AAD_5

End users that are trying to access a service that is blocked will get this message when they try to access it.

blocked_access_aad_worklocation

 

Blocking access to SharePoint and OneDrive via web

If you want to block web access to SharePoint or OneDrive in O365 from unmanaged devices you can now do that with Conditional Access in Intune. From the testing I have been doing latley it has been working well for me. Since I enabled it I havent been able to access the services from devices that are not beeing managed.

The only setting we have right now is to block SharePoint. And by blocking SharePoint, OneDrive will automaticlly be blocked. So if you want to block only OneDrive but not SharePoint there is no way of doing that right now.

block_sp_1drv

And just like OWA the message the end user will get is the following when access is being blocked.

blocked_access_ca

Blocking O365 OWA from Unmanaged Devices

If you want to block access to Outlook Web Access in O365 from unmanaged devices you can now do that with Conditional Access in Intune. From the testing I have been doing latley it has been working well for me. Since I enabled it I havent been able to access OWA from devices that are not beeing managed.

 

block_owa

If you try to access OWA from an unmanaged device you will get this response from the service.

blocked_access_ca

Enterprise Mobility Suite Managing BYOD and Company-Owned Devices

Microsoft has released a book about Enterprise Mobility Suite, if you want to read up more on the suite and how you can manage your mobile workforce with the help of EMS.

EMS is a bundling of Microsoft Intune, Azure AD Premium and Azure RMS. Together the products makes up a great suite of functionality to protect and manage information and devices you manage it also gives you great benefits of managing your identities.

I was one of the reviewers of the book and I can guarantee you that its a great read for all of you who want to learn more about EMS and what it can do for your organization.

ems

 

 

 

 

 

 

 

 

More information about it can be found here.

https://www.microsoftpressstore.com/store/enterprise-mobility-suite-managing-byod-and-company-9780735698406