Restrict access to SharePoint Online based on IP

The question of restricting access to one or another Office 365 resource is one that often pops up. By default, being a public cloud SaaS offering, Office 365 is available from any location, at any time. Still, many organizations have the need to restrict access to content they have put in the service, say in a SharePoint Online team site.

Up until recently, restricting access based on the network location was only possible if you had AD FS in place, effectively redirecting the authentication process to your on-prem organization where you can impose the needed restrictions. Few months back, another option become available, namely using conditional access (MFA and Device based rules) for ExO, SPO and some other O365 apps. I blogged about this feature here.

Now, few weeks after first showcasing this functionality at Ignite, the ability to restrict access to SPO to a range of predefined IPs/subnets has become available. For example, to restrict access to only requests coming from the company network, one can use:

Set-SPOTenant -IPAddressEnforcement $true -IPAddressAllowList 111.1.1.0/20

Once the restrictions are in place, the any users hitting SPO resources outside of the designated range(s) will get an error message (not very descriptive one). Currently, setting the restrictions is only possible via the SharePoint Online PowerShell module, but we should be getting the relevant controls in the SPO Admin center soon. For more details about the feature, watch the video above, you will also learn about the other controls coming soon 🙂

This entry was posted in Office 365, SharePoint Online. Bookmark the permalink.

One Response to Restrict access to SharePoint Online based on IP

  1. Bradley says:

    How would this affect externally shared content from a sharepoint site? Would this stop external/vendor users that have access to my sites from being able to view the sites or would this just affect internal users that are part of my tenant?

Leave a Reply

Your email address will not be published. Required fields are marked *