How do we restrict Office 365 access to hourly employee's working hours RRS feed

  • Question

  • How do we restrict employee's access to a company provided Office 365 account to only their scheduled work hours?  If hourly employees work you have to pay them.  We don't want our hourly employees to be able to work on nights or weekends when they are not schedule to work.  If they did work it could either cause us to pay a lot of unplanned overtime or lead to a lawsuit that hourly employees were not being paid for actual work time.

    Some employees have rotating shifts so I am hoping their is a way to upload the schedules rather than maintaining them separately.

    Thank you!


    Tuesday, July 23, 2013 10:02 PM

All replies

  • Hi,

    The whole point of using Office 365 is to allow everyone to access from practically everywhere as long as you have internet connectivity but right now you are thinking of blocking access to the corporate emails?

    I believe this should be categorize to just user governance and user education. They should be made known and clearly that regardless of when they work on their stuffs. If it is not within the routine or schedule, they will not be counted towards the wages. 

    Wouldn't that be easier? Share with me more and we can discuss in depth. 


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. Milton Goh

    Wednesday, July 24, 2013 3:15 AM
  • Hi Jim, another thing you could do is schedule a PowerShell script that disables owa access (or any other type of access) and another one that enables it at a specific hour. The script is simple to create and the schedule too but you need to have some PowerShell notions :)


    Alberto Pascual MVP-MCSA-MCITP-MCTS-MCP-O365MS-MCC http://blogs.itpro.es/guruxp

    Wednesday, July 24, 2013 7:09 AM
  • You are missing the point that in US labor law if an hourly person works they have to be paid.  It is a requirement the law puts on the employer, so any agreement the employer makes with the employee is illegal.  Allowing hourly workers to work without being paid opens a company up to legal action from the Department of Labor.  All it takes is one employee reporting that they are not being paid to cause the Employer's practices to be audited and the Employer will then be forced to pay all back wages.

    This is the challenge that we are having with Office 365.  It is being created as a consumer product and we are having difficultly trying to take this consumer product and use it in a business setting without getting in trouble.


    Wednesday, July 24, 2013 1:18 PM
  • We will take a look at this.  Thank you for your help.


    Wednesday, July 24, 2013 1:19 PM
  • Apology that I have missed out the US labor law. 

    Cheers that you have gotten some help! 

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. Milton Goh

    Wednesday, July 24, 2013 2:43 PM
  • Hi,

    Has Microsoft got a fix for this?  I am running this issue with the City organization that has a need to turn off access to Office 365 on off hours.  We have a script that add and removes a Security group in and out daily but that is not a long term solution.


    Eric Pulliam

    Friday, January 17, 2014 6:25 PM
  • Hi,

    maybe an ADFS rule could do the work.


    Désiré GOVIN, Refresh IT Solutions.com

    Monday, January 20, 2014 9:56 AM
  • Hi,

    client Access Policies are supposed to address this need. Office 365 customers can create policies that limit access to Office 365 services based on where client resides. To help you create that kind of policies, you can use the Office Client Access Policy Builder script on Technet :


    Hope this helps,

    Fabrice DI GIULIO, http://blog.digiulio.fr

    Technical Solutions Professional, EMEA at AvePoint


    • Proposed as answer by Fabrice DG Monday, January 27, 2014 3:23 PM
    Monday, January 27, 2014 3:23 PM
  • If you are using ADFS you can use the on-premise AD hourly restrictions.  See the following link:


    Monday, December 8, 2014 2:41 PM
  • This doesn't address the issue, restricting based on location is not the same as restricting based on work hours. 
    Monday, October 10, 2016 7:42 PM
  • As far as I can tell, the AD policy is computer based...not user based.  So can anyone suggest a fool-proof way to only allow users to access Office 365 resources based on a fixed time schedule OR just say...it can't be done.
    Monday, October 10, 2016 7:43 PM
  • This is still a problem for us.  Is Microsoft not working on a user-friendly solution for this???  I cannot have employees checking email after hours because it throws a burden onto us as the employer to pay our employees for this time.

    Sunday, January 29, 2017 9:27 PM
  • Hello all!

    Follow this link:


    You can create powershell scripts (to enable/disable office 365 features) and use Windows Task Cheduler to run it as your needs.

    Hope this will help!




    Wednesday, February 15, 2017 6:56 PM
  • Logon Hours restriction is user base setting in active directory and ADFS should respect that and wouldn't allow user to connect to O365 resources out of allowed schedule.

    Wednesday, February 15, 2017 8:35 PM
  • I don't know that this would apply to mobile devices as once they have authenticated the connection is certification based.
    Friday, December 29, 2017 5:57 PM
  • that is against the law.  If an hourly employee works and you don't pay them there are VERY stiff penalties.  
    Tuesday, July 17, 2018 3:50 PM
  • I think that is the point.  He wants to restrict his user(s) from being able to use email after hours so that they can't work and claim pay.
    Wednesday, October 3, 2018 5:13 PM
  • There is no solution to this issue from the product.

    If it was more of a problem recognized by many more businesses then there would be a response. Or, least there would have been one before now.

    The more optimal solution is seems is to write a company policy that explains the use of this functionality (Office 365) and that it is to be used for business purposes only and during work hours only.

    Tuesday, September 3, 2019 3:38 PM
  • You have to implement ADFS to get the working hours restriction to work. The attribute that controls login time limits doesn't get synced to O365, so you need ADFS to authenticate directly against AD. If you have that in place and a user is outside their login hours, they won't be able to log in.

    Alternatively, you can look at implementing Pass-through authentication instead, as that would authenticate against AD as well.

    Tuesday, September 3, 2019 3:43 PM