Limiting Access to Office 365 Services Based on Location
Office 365 and Exchange Online continue to use Outlook Web App, Outlook MAPI, Outlook Anywhere, and ActiveSync for client connections. Customers have expressed concerns about data loss while outside of the network and would want policies in place that limit access to Office 365 services, depending on where the client resides.
If using ADFS 2.0 for single sign on to Office 365 services, we can also enable built in client access policy features.
Client Access Policy Scenarios
|Block all external access to Office 365
||Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
|Block all external access to Office 365, except Exchange ActiveSync
||Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
|Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online
||Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
|Block all external access to Office 365 for members of designated Active Directory groups.
||This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.
Using ADFS Client Access policies in conjunction with disabling Outlook cached mode will give clients full control of where their data can be accessed in any given scenario.
This posting is provided "AS IS" with no warranties, and confers no rights.