locked
ADFS 3.0 rule to block MS outlook to access to Office 365 from External Network RRS feed

  • Question

  • Hi,

    I have to block MS Outlook 2010 , 2013 and 2016 to access to Office 365 from external Network (outside of the internal Network), ActiveSync must continue to access to Office 365  from Internet.

    Outlook 2016 is configured to use ADAL (modern authentication).

    We have ADFS+WAP for SSO with Office 365.

    What custom rules can be configured on ADFS to accomplish this need?

    Thanks


    Lourh

    Friday, August 26, 2016 12:55 PM

Answers

  • Thank you Mylo,

    I have Device WriteBack enabled on Azure AD Connect. And the Device Registration is also Enabled in ADFS, and Initialized in On-premises AD.

    At the moment, We are using Intune and SCCM for Mobile Device Management. and Azure AD is automatically used by Intune (Work place) for Registration. but it's not configured as DRS for any Device.

    If it can AAD DRS can enforce the security and allow us to meet this need, it will be a solution for us.

    Thanks



    Lourh

    Monday, August 29, 2016 9:30 PM

All replies

  • Hi,

    Here is how to limit access to o365 services based on the location of the client:

    https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

    FrenchITGuy.com

    Friday, August 26, 2016 1:03 PM
  • Thank you for your Answer.

    i have already seen this article. Unfortunately , we cannot use the claim based on Network location, we have more than 500 subnets, and most of them can have the same subnet address as External private location.

    I tried with other Claims, but we didn't able to block MS Outlook 2016. 

    We were able to block Web clients only.

    Thanks


    Lourh

    Friday, August 26, 2016 1:42 PM
  • Is your Exchange Online tenant Modern Authentication (ADAL) enabled?

    http://blog.auth360.net

    Friday, August 26, 2016 1:57 PM
  • Yes it's already enabled (Set-OrganizationConfig -OAuth2ClientProfileEnabled                                : $True), it's working correctly with MS Outlook 2016

    Thanks


    Lourh



    • Edited by Lourh Saturday, August 27, 2016 1:17 PM
    Friday, August 26, 2016 4:22 PM
  • Hi Lourh,

    Sorry for the delayed response.. I haven't see any update on this issue that you describe as you fall into Scenario 3.  Have you considering using Azure DRS using device writeback to your AD to screen out access via Modern Authentication?


    http://blog.auth360.net

    Monday, August 29, 2016 7:56 PM
  • Thank you Mylo,

    I have Device WriteBack enabled on Azure AD Connect. And the Device Registration is also Enabled in ADFS, and Initialized in On-premises AD.

    At the moment, We are using Intune and SCCM for Mobile Device Management. and Azure AD is automatically used by Intune (Work place) for Registration. but it's not configured as DRS for any Device.

    If it can AAD DRS can enforce the security and allow us to meet this need, it will be a solution for us.

    Thanks



    Lourh

    Monday, August 29, 2016 9:30 PM
  • Hi Lourh

    I had a similar issue, please check this post at my blog: http://cdanvergara.com/QeKTS

    I hope it helps!

    Regards


    Cristian V.


    • Edited by kurisuchianu Wednesday, November 9, 2016 2:31 PM
    Wednesday, November 9, 2016 2:31 PM