The question of restricting access to one or another Office 365 resource is one that often pops up. By default, being a public cloud SaaS offering, Office 365 is available from any location, at any time. Still, many organizations have the need to restrict access to content they have put in the service, say in a SharePoint Online team site.
Up until recently, restricting access based on the network location was only possible if you had AD FS in place, effectively redirecting the authentication process to your on-prem organization where you can impose the needed restrictions. Few months back, another option become available, namely using conditional access (MFA and Device based rules) for ExO, SPO and some other O365 apps. I blogged about this feature here.
Now, few weeks after first showcasing this functionality at Ignite, the ability to restrict access to SPO to a range of predefined IPs/subnets has become available. For example, to restrict access to only requests coming from the company network, one can use:
Set-SPOTenant -IPAddressEnforcement $true -IPAddressAllowList 220.127.116.11/20
Once the restrictions are in place, the any users hitting SPO resources outside of the designated range(s) will get an error message (not very descriptive one). Currently, setting the restrictions is only possible via the SharePoint Online PowerShell module, but we should be getting the relevant controls in the SPO Admin center soon. For more details about the feature, watch the video above, you will also learn about the other controls coming soon 🙂