locked
Block access for Extranet access to Outlook (2013 & 2016) with Modern Auth enabled. RRS feed

  • Question

  • We need to block access for Extranet access to Outlook (2013 & 2016) with Modern Auth enabled. We also need to enabled Extranet access for Webmail and Outlook app on mobile and block Activesync. We have Azure MFA to provide MFA for external traffic and Azure premium license with Intune.

    I am not able to figure out how to achieve the above requirement using all the solution component (ADFS 2016, Azure MFA, Intune) for Office 365 Access.

    Note: We are not in a position to make use of Device registration service as we are performing cross forest migration in parallel and computer will be joined to new forest and see that registering devices to Azure from new Forest will need some more planning and cant be clubbed at this time. Need to know if this is only possible way to achieve our goal.

    Monday, May 22, 2017 10:46 AM

Answers

  • Hi Rakash,

    You can block activesync from either Office 365 (set-casmailbox) or ADFS (using a claim rule).

    To implement your requirement for Outlook Modern Auth you will leverage Azure Conditional Access.

    Identify your public IP addresses and create Trusted Networks for them.

    Create a rule that blocks external access on Devices other than IOS/Android/Windows Phone.

    Create  a rule that requires a compliant device on IOS/Android/Windows Phone.

    You did not specify the circumstances for requiring MFA but you can create additional rules to require MFA in certain circumstances.

    Good Luck!

    Shane

    Friday, May 26, 2017 1:32 PM

All replies

  • Wondering If this forum is active or not, or do I need to post this in any other forum..
    Thursday, May 25, 2017 2:04 PM
  • The question is too challenging to be answered in the forum. best would be open a case with MS premeir support and share the solution for the benefit for future admins and architects.

    Regards, Navdeep



    • Edited by singh83 Friday, May 26, 2017 2:26 AM
    Friday, May 26, 2017 2:25 AM
  • Hi Rakash,

    You can block activesync from either Office 365 (set-casmailbox) or ADFS (using a claim rule).

    To implement your requirement for Outlook Modern Auth you will leverage Azure Conditional Access.

    Identify your public IP addresses and create Trusted Networks for them.

    Create a rule that blocks external access on Devices other than IOS/Android/Windows Phone.

    Create  a rule that requires a compliant device on IOS/Android/Windows Phone.

    You did not specify the circumstances for requiring MFA but you can create additional rules to require MFA in certain circumstances.

    Good Luck!

    Shane

    Friday, May 26, 2017 1:32 PM