Office 365 Services auf das eigene Netzwerk einschränken

Ich wurde in der letzten Woche gefragt, ob man die Office 365 Services aus Sicherheitsgründen neben einer Multi-Faktor-Authentifizierung nicht gleich komplett auf das eigene Netzwerk einschränken kann. Externe Clients sollen blockiert und komplett ausgeschaltet werden.

 

Nach einigen Minuten Suche habe ich in TechNet die Lösung gefunden:
https://technet.microsoft.com/en-us/library/hh526961%28v=ws.10%29.aspx

 

Dafür benötigt ihr den Active Directory Federation Services (AD FS) 2.0. Anschließen sind dann folgende Einstellungen/Szenarien möglich:

  • “Scenario 1: Block all external access to Office 365
  • Scenario 2: Block all external access to Office 365 except Exchange ActiveSync
  • Scenario 3: Block all external access to Office 365 except browser-based applications”

 

Eine genaue Beschreibung findet sich auch direkt: (zitiert am 08.05.2016)

 

Scenario Description
Block all external access to Office 365 Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSync Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groups This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.