Block all external access to Office 365 except for browser-based applications Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0ooiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
James CherrybonJames Cherrybon 

Block all external access to Office 365 except for browser-based applications

We have a need to block all external access to Office 365 except for the web based products.  This is a feature of ADFS that we are trying to replicate with Okta.

I know we can set a sign-on policy to require MFA when connecting from an external network but that includes both the full and web clients.  We need an option to block full clients externally while still allowing the web clients.

From microsoft:

https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx
 

  • Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online - Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Best Answer chosen by Niki (Okta, Inc.) 
Marc JordanMarc Jordan (Okta, Inc.)

Hi James,

Thanks for posting on the Support Community.

A few weeks ago, we rolled out the Beta of our Office 365 Client Access Policies. More information is available from:

https://support.okta.com/help/blogdetail?id=a67F0000000L1QlIAK

and

https://support.okta.com/help/articles/Knowledge_Article/Getting-Started-with-Office-365-Client-Access-Policies

Our O365 Client Access Policies allow customers to block access externally for Thick Clients while allowing Browser based access. There is one important caveat that Microsoft make around this, as detailed in:
http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx 

·         “With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic”
·         “We recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.”


So with that in mind, both Web Browsers and Outlook 2016 (and patched 2013 clients on PC) all look like Web Browsers while Modern Authentication is turned on. There are 2 possible approaches you can take here:

·         Disable Modern Authentication (done through Powershell as described here https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/)
·         Determine whether it is feasible to, rather than blocking all access, allow access only if a user has performed MFA.

If you want to get your non-production Okta tenant involved in the Preview of Office 365 Client Access Policies and prepared to work with us to provide feedback about the feature, please feel free to email your non-production tenant and contact details to Beta@Okta.com and we can get it enabled.

Thanks!
Marc