Locking down SharePoint Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfmeia4&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Caleb SizemoreCaleb Sizemore 

Locking down SharePoint

We are trying to setup SharePoint online so it is only accessible internally by our users, so they are unable to access it from outside our network.  We have not setup the WS-Federation with Office 365 and have setup the built-in SWA application for SharePoint (with the IP restrictions), but when we manually access SharePoint (without logging into Okta) we are still able to login when off network.

Is there a way to set this up so whenever users go to our SharePoint site off network, they are denied access?  Do we need to proceed with the WS-Federation to make this possible?
Best Answer chosen by Caleb Sizemore
Wils DawsonWils Dawson (Okta, Inc.)
When using WS-Federation (or SAML), Okta will always be in the authentication flow. If the user needs to acquire a new session for the app, the app will redirect to Okta and Okta will either grant access, deny access, or ask for step-up authentication (MFA). You can setup an app signon policy for your SharePoint app in Okta to deny access if they are off network and because Okta will be involved in each authentication request, they will not be able to get new SharePoint sessions. I would also make sure that your SharePoint session settings are configured to your liking, such that a user cannot login from your network, go home, and continue to have access through that session (assuming that matters to you).

All Answers

Wils DawsonWils Dawson (Okta, Inc.)
Hi Caleb,

In SWA apps, if you go directly to the app and the user knows the password, because Okta is (and can't be) in that flow, we cannot do anything to protect access. The best solution would be to use WS-Federation to guarantee that Okta is in the flow and remove passwords as a way to access that application. 

Hope that helps,
Wils
Caleb SizemoreCaleb Sizemore
Thank you for the quick reply Wils!

So with the WS-Federation, is it safe to say that when a user in the organization tries to access SharePoint from outside our network (as long as we have the policies setup correctly), they would be denied access?
Wils DawsonWils Dawson (Okta, Inc.)
When using WS-Federation (or SAML), Okta will always be in the authentication flow. If the user needs to acquire a new session for the app, the app will redirect to Okta and Okta will either grant access, deny access, or ask for step-up authentication (MFA). You can setup an app signon policy for your SharePoint app in Okta to deny access if they are off network and because Okta will be involved in each authentication request, they will not be able to get new SharePoint sessions. I would also make sure that your SharePoint session settings are configured to your liking, such that a user cannot login from your network, go home, and continue to have access through that session (assuming that matters to you).
This was selected as the best answer