This rule blocks access from clients residing outside the corporate network that have an external client IP address, except for those individuals in a specified Active Directory Group.
Please follow the below steps.
Create Active directory security group.
Add the users that you want to block external access to office365.
Copy the group SID value of the group and save it in notepad.
In the AD FS console tree, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Access Control Policy…
Then click Add Rule to start the Claim Rule Wizard.
On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.
On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule, type or paste the following claim rule language syntax:
exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) &&
exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “Group SID value of allowed AD group”]) &&
NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”,
Value=~”customer-provided public ip address regex”])
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);
Ensure Group SID value of allowed AD and External IP regular expression entered correctly.
Watch this video to see the client behaviour after creating the above rule.