locked
ADFS 3.0 Claims Rule - Block Ooutlook Anywhere access for non domain joined systems RRS feed

  • Question

  • Can anyone tell me if it's possible to block access to Outlook anywhere for Exchange Online and limit this to only systems that are not joined to a domain? If so, can you point me in the direction of an article that would help with the configuration?

    Thank you!

    Monday, December 14, 2015 5:51 PM

Answers

  • At the time of my original posting ADFS did not offer the solution needed.  It looks like the way to achieve this is to use conditional access with Intune. Require device enrollment with Intune and setup conditional access for O365.  I ended up not moving forward with this solution so I don't have the details needed to pass along. I've heard of other using conditional access for similar cases and having great success.  Sorry I don;t have more to offer here. 
    Friday, July 1, 2016 6:31 PM

All replies

  • Any definitive answer on this yet?
    Thursday, June 30, 2016 11:51 PM
  • At the time of my original posting ADFS did not offer the solution needed.  It looks like the way to achieve this is to use conditional access with Intune. Require device enrollment with Intune and setup conditional access for O365.  I ended up not moving forward with this solution so I don't have the details needed to pass along. I've heard of other using conditional access for similar cases and having great success.  Sorry I don;t have more to offer here. 
    Friday, July 1, 2016 6:31 PM
  • Thank you for sharing this.

    When it comes to conditional access, ADFS offers a limited panel of options.

    What can be done with ADFS in that regard?

    You could use the Device Registration Service of ADFS an create a group policy that will automatically workplace joined your domain joined devices. But that would work for iOS6 and higher and Windows 8.1 (and Windows 7 if you install a special module). Not for Windows 8, nor Windows 10 (nor Android but iOS and Android are never really domain joined anyways). Then you could create a rule to say you can use EXO only if you are workplace joined.

    With Azure AD (and Intune, well conditional access policy are actually stored in Azure AD), you have a much more flexible panel of possibilities. Trigger MFA if the device is not compliant according to the criteria that you pick for example. You will find plenty of info on the EMS blog: https://blogs.technet.microsoft.com/enterprisemobility/?product=microsoft-intune


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 5, 2016 1:16 PM