Difference between revisions of "Office365 Exchange Online Restrict Access"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "==Purpose== To restrict access to email to specific applications, locations, and users. ==Notes== *Want to use email containerization for devices outside the LAN. Internal us...") |
Michael.mast (talk | contribs) (→Notes) |
||
Line 7: | Line 7: | ||
*Conditional access could be used, but appears to not support all email clients<ref>https://core.co.uk/blog/restricting-access-office-365/</ref><ref>https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-mam</ref> | *Conditional access could be used, but appears to not support all email clients<ref>https://core.co.uk/blog/restricting-access-office-365/</ref><ref>https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-mam</ref> | ||
*Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.<ref>https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/</ref><ref>https://social.technet.microsoft.com/Forums/msonline/en-US/6559babe-7d09-4f91-a2d7-fc0b58d3cb4f/office-365-device-access-rules?forum=onlineservicesexchange</ref> | *Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.<ref>https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/</ref><ref>https://social.technet.microsoft.com/Forums/msonline/en-US/6559babe-7d09-4f91-a2d7-fc0b58d3cb4f/office-365-device-access-rules?forum=onlineservicesexchange</ref> | ||
+ | <br> | ||
+ | <br> | ||
+ | There are two methods to follow | ||
+ | #A restrictive technical control model | ||
+ | #A less restrictive policy based model | ||
+ | <br> | ||
+ | In the first model we would restrict access to exchange online to the datacenter, then run a proxy. In the less restrictive model we would tell users they are not allowed to use any other client except the approved app, then monitor for violations using auditing<ref>https://blogs.technet.microsoft.com/exovoice/2017/03/14/how-to-see-the-ip-addresses-from-where-your-office-365-users-are-accessing-owa/</ref><ref>https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918</ref>. If a violation occurs business can handle disciplinary messures. | ||
+ | <br> | ||
+ | <br> | ||
+ | It may be possible to restrict access for MAPI clients using Client access rules, then restrict activesync connections using ActiveSync Device Access and specifying the device family. |
Revision as of 15:01, 22 February 2018
Purpose
To restrict access to email to specific applications, locations, and users.
Notes
- Want to use email containerization for devices outside the LAN. Internal users can access from terminal servers or virtual desktops.
- Client access rules can be used to restrict access to just the datacenter using IP whitelisting.[1][2]
- Conditional access could be used, but appears to not support all email clients[3][4]
- Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.[5][6]
There are two methods to follow
- A restrictive technical control model
- A less restrictive policy based model
In the first model we would restrict access to exchange online to the datacenter, then run a proxy. In the less restrictive model we would tell users they are not allowed to use any other client except the approved app, then monitor for violations using auditing[7][8]. If a violation occurs business can handle disciplinary messures.
It may be possible to restrict access for MAPI clients using Client access rules, then restrict activesync connections using ActiveSync Device Access and specifying the device family.
- ↑ https://technet.microsoft.com/en-us/library/mt842508
- ↑ https://technet.microsoft.com/en-us/library/mt842507(v=exchg.150).aspx
- ↑ https://core.co.uk/blog/restricting-access-office-365/
- ↑ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-mam
- ↑ https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/
- ↑ https://social.technet.microsoft.com/Forums/msonline/en-US/6559babe-7d09-4f91-a2d7-fc0b58d3cb4f/office-365-device-access-rules?forum=onlineservicesexchange
- ↑ https://blogs.technet.microsoft.com/exovoice/2017/03/14/how-to-see-the-ip-addresses-from-where-your-office-365-users-are-accessing-owa/
- ↑ https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918