Getting Granular with Office 365 Sign-On Policies Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Getting Granular with Office 365 Sign-On Policies

Apr 29, 2016 | by Marc Jordan in Office 365

Update: Office 365 Client Access Policies are now available and fully supported in General Availability - for Office 365 customers, this is available from your Application Sign-On Policies!

Office 365 is the most widely used application in our network today. Last week we announced Early Access to our Office 365 Provisioning Enhancements and the feedback has been tremendous so far. Today, I wanted to share with you a first look at some of the  new functionality we have coming to Office 365 over the next few weeks.

Our Protocol-aware Sign-On Policies will help you to enhance the overall security of your Office 365 implementation. It also lets you leverage Okta’s policy framework to build rules and controls around how specific clients access the service without complex claim rule language, regular expressions or PowerShell.

Let’s take a look.

If you’re familiar with Okta, you know that our granular policy framework allows you to configure how a user can access their digital environment.  With Office 365, we have enhanced this further to allow you control sign-in behavior based on the client type as well:
User-added image

Now what I can do is build granular policies to control the level of access my users have depending on the service they are using.

As an example, I could configure a set of policies that:

  • Allow my users inside my network to sign-in without the need for MFA on any client
  • Allows users on desktops, accessing from outside the network, to sign-in provided they have performed MFA (Provided Modern Authentication is configured on the tenant and the user is leveraging a client enabled for it)
  • Allow users on mobile clients, with Exchange ActiveSync, to sign in from anywhere (without MFA), provided they have been added to a Security Group
User-added image

This is just a sneak peek of what we have in the works, and we’ll be sure to provide an update over the coming weeks when this feature becomes available to test and deploy in your own organization. In the meantime, we’d love to hear your comments and feedback in this group.