Block all external access to Office 365 for specific users

This rule blocks access from clients residing outside the corporate network that have an external client IP address, except for those individuals in a specified Active Directory Group.

Please follow the below steps.

Create Active directory security group.

1image

Add the users that you want to block external access to office365.

image

Copy the group SID value of the group and save it in notepad.

image

In the AD FS console tree, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Access Control Policy…

image

Then click Add Rule to start the Claim Rule Wizard.

image

On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

image

On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule, type or paste the following claim rule language syntax:


exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) &&
exists([Type == “
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “Group SID value of allowed AD group”]) &&
NOT exists([Type == “
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”,
Value=~”customer-provided public ip address regex”])
=> issue(Type = “
http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);


Ensure Group SID value of allowed AD and External IP regular expression entered correctly.

Click Finish

image

Watch this video to see the client behaviour after creating the above rule.

https://youtu.be/xJkJLL1pz18

Leave a Reply

%d bloggers like this: