Limiting access to Microsoft Office 365, depending on where the client resides

Many customers who have implemented our federated SSO feature have asked us to enable more control over external access based on the location of the client e.g. limit access to Microsoft Office 365 services, depending on where the client (trying to access the Office 365 services) resides.

While this feature is officially on the roadmap for the first half of calendar year 2012, it is available now to customers as a QFE (hotfix) via KB2607496 and is fully documented on TechNet.  The feature will move to officially released with the next service pack for AD FS but has already been pilot tested with 12 customers.  In short the new capability allows customers to:

  • Block all extranet client access to Office 365
  • Block all extranet client access to Office 365 except for devices that use Exchange Active Sync
  • Block all extranet client access to Office 365 except for browser based applications
  • Block all extranet client access to Office 365 for members of designated Active Directory groups
  • Enforce two factor authentication requirements by blocking external access and forcing users to VPN into the customer’s network where 2FA can be enforced

See also

  • "Office 365 URLs and IP Address Ranges" - link
  • "Understanding the AD FS 2.0 Proxy" - link
  • "Limiting Access to Office 365 Services Based on the Location of the Client" - link