How to restrict access to Office 365

If you, like some organisations, are concerned about data leakage via Office 365 resources such as SharePoint Online, Exchange Online and OneDrive for Business. There are certainly good options to prevent Data Leakage natively in the Office 365 space using DLP policies and other protection mechanisms, but suppose you are faced with an urgent call to block access to these resources from all networks external to your organisation? Well here are 3 options you could use.

If you synchronise your Active Directory users to Office 365 and federate for single sign on, you most likely use Active Directory Federation Services (AD FS). The first part of this blog series covers options for controlling access using AD FS.

Client access policies in Active Directory Federation Services (AD FS): Authorization Policies restrict or allow users access to resources based on attributes (claims) of the request and the resource. First became available in AD FS 2.0 Update Rollup 2. Requires the addition of 5 new claim rules to the Active Directory Claims provider trust. Microsoft Office 365 Relying Party trust Issuance Authorization rules must be added. There are 3 basic scenarios catered for in Client Access Policies: Block all external access to Office 365, Block all external access to Office 365 except Exchange ActiveSync, Block all external access to Office 365 except browser-based applications. Visit Microsoft Docs for more information on Client access policies and how to configure them for the scenarios.

Access Control Policies in AD FS: Sometimes AD FS in Windows Server 2012 R2 and Windows Server 2016 are referred to as AD FS 3.0 and AD FS 4.0 respectively. in AD FS 3.0 and 4.0 a greater variety of claim types available for authorization claim rules enhances client access policies with more factors such as user identity or group membership, domain device, network location and authentication state such as whether multifactor authentication was performed. Using more available settings, there are more ways in which you can manage risk with conditional access control. Take a look at Access Control Policies for Windows Server 2016 AD FS.

Access Control in AD FS 3.0 and 4.0 offer some benefits over Client Access policies in AD FS 2.0 but neither are aware of the target resource the user is attempting to access. I’ll explain what is meant by this later in the post.

Part 2 of this blog series will cover the third option and also some things you can do with the data to protect it when access is allowed…