Today I want to have a look at using Azure Conditional Access to restrict external access to Exchange Online OWA. In Azure CA the condition “Client apps” is in preview, with which we can block Exchange Online access using a browser. Combined with the condition “Locations” we are able to only block external access and allow access to Exchange Online using a browser when the user is located on the internal network.
Setting up the Azure Conditional Access policy
Logon to the Azure Portal and browse to Azure Active Directory or Intune. Open the tab Conditional Access and click on +New Policy. The new policy is opened, give your policy a name and click on Users and Groups. Here you need to choose to which users and/ or groups this policy will be applied. It is recommended for testing to pick a group with a small number of users first to test your implementation. If needed you can also select a user or group which will be excluded from the policy.
Under Exclude I will select MFA Trusted IPs. I have added all my (external) IP addresses from our offices to MFA Trusted IPs, so this will allow OWA access from our internal office networks.
These MFA trusted IPs are managed from Azure AD, Conditional Access, Named Locations.
From an external location, open up a browser and visit https://portal.office.com/myapps
With the option Client apps in Azure Active Directory Conditional Access it is now possible to block OWA access based on IP-addresses without using AD FS.