Managing device access for Microsoft 365 is key to ensuring that only known devices can access the service or store company data. There are two main strategies that can be used to control device access for Microsoft 365:
- Network restriction: Microsoft 365 services can only be accessed from authorized network locations, such as inside the organization perimeter, where managed devices reside. This scenario is enforced in the service during the authentication and authorization phase, where users identify themselves and their locations, before being granted access to services.
- Conditional access: Services can only be accessed when conditions, such as group membership, device compliance, network region, or multi-factor authentication, are satisfied.
A network restriction implementation can be implemented with one or more of the following four features:
- Conditional Access: As we mentioned previously, conditional access can be used to interrogate devices accessing the service for their IP address information and then grant or deny access based on that (among other conditions). Microsoft recommends configuring conditional access as the best way to manage device and application access.
- Active Directory Federation Services (AD FS) claims rules: In an identity federation scenario, claims are information about users that are exchanged between different identity providers, such as between a local Active Directory and Azure Active Directory. In this case, claims rules allow administrators to configure conditions that must be satisfied to enable the authorization. Organizations frequently use AD FS claims rules to limit access to services based on IP addresses.
- Exchange Online Client Access Rules: Administrators can configure conditions to authorize access to Exchange Online services. Among the services that administrators can configure Exchange Online Client Access rules for are Exchange Admin Center (EAC), PowerShell, Exchange ActiveSync, and Exchange Web Services (EWS).
- OneDrive for Business and SharePoint Online Device Access: Administrators can configure which networks users are authorized to access OneDrive and SharePoint content. This setting also applies to external users and administrator access, so it is recommended to be well planned before they're rolled out to users. It affects all services that use SharePoint (such as OneDrive, SharePoint Online, and Microsoft Teams). Misconfiguring the allowed networks will prevent users from being able to access the service and will require a phone call to be made to Microsoft support that they will resolve.
The following screenshot shows the device access configuration options in the OneDrive admin center:
The most flexible (and preferred) approach for controlling authorized locations is to create Conditional Access policies, which, like the previous options, define conditions and actions.
The following diagram shows the main components of a Conditional Access Policy:
The core conditions for building a Conditional Access Policy are as follows:
- Users and groups
- Sign-in risk
- Device platform
- Location
- Client apps
- Device state
After being validated, administrators can configure actions such as the following:
- Blocking access
- Granting access, but requiring multi-factor authentication
- Granting access, but requiring a device to be compliant with Intune requirements
- Enforcing limited session usage, such as preventing users from opening SharePoint documents locally
We'll talk about Device Management in the next section.