O365

Controlling external access to O365

In some scenarios you may want to control how you need to authenticate and also if the service is allowed to be accessed outside of the Company.

Over the last weeks Microsoft has been rolling out some features in preview for Azure AD. With this new functionality you can control granular authentication levels per service.

  • Outlook Web access
  • SharePoint Online and OneDrive

So say you only want to allow OWA outside of the Company with two-factor authentication while SharePoint and OneDrive should be blocked you can now test that scenario in preview.

So to test this out you can follow the steps below

  1. Logon to https://manage.windowsazure.com
  2. Select your AAD AAD_1
  3. Go to your Applications Tab
  4. Select the Application you want Office 365 Exchange Online for an example AAD_2
  5. On the top select Configure, and Enable the Access Rules and then choose your desired behavior, when using the work based rules, you need to define your work locations. AAD_3
  6. Defining your work locations is done by clicking on the link at the bottom.
  7. On the Trusted IPs section, you need to define your IP Addressed that shall be seen as your work locations, here you need to define your public IP Addresses. More on that you can read here: https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#trusted-ips AAD_4
  8. And then when we want to block SharePoint and OneDrive you create a block rule for SharePoint Online.

AAD_5

End users that are trying to access a service that is blocked will get this message when they try to access it.

blocked_access_aad_worklocation

 

Blocking access to SharePoint and OneDrive via web

If you want to block web access to SharePoint or OneDrive in O365 from unmanaged devices you can now do that with Conditional Access in Intune. From the testing I have been doing latley it has been working well for me. Since I enabled it I havent been able to access the services from devices that are not beeing managed.

The only setting we have right now is to block SharePoint. And by blocking SharePoint, OneDrive will automaticlly be blocked. So if you want to block only OneDrive but not SharePoint there is no way of doing that right now.

block_sp_1drv

And just like OWA the message the end user will get is the following when access is being blocked.

blocked_access_ca

Blocking O365 OWA from Unmanaged Devices

If you want to block access to Outlook Web Access in O365 from unmanaged devices you can now do that with Conditional Access in Intune. From the testing I have been doing latley it has been working well for me. Since I enabled it I havent been able to access OWA from devices that are not beeing managed.

 

block_owa

If you try to access OWA from an unmanaged device you will get this response from the service.

blocked_access_ca