SharePoint Online Users Getting Network Conditional Access Protection

Microsoft will issue a preview of a new conditional access capability for organizations using SharePoint Online and OneDrive for Business, starting on Friday.

Specifically, Microsoft plans to release a "conditional access by network location" security capability, which will be available for "first release" testers on Jan. 20. It's a free addition to those services that's designed to thwart "data leakage" scenarios in which restricted information could get dispersed.

The first release of this conditional access by network location security feature will be available on Jan. 20 to all "commercial and GCC [Government Community Cloud] tenants, and will not require additional licensing," Microsoft explained, in a Microsoft Tech Community blog post late last week.

IT pros can use the SharePoint Admin console to define the network boundaries for this feature. Essentially, they provide "whitelisted address ranges" for end users in an organization. A user who tries to access SharePoint Online or OneDrive for Business outside those whitelisted addresses will get blocked and will see an "access restricted" message. Policy set via the console in this way will apply across an organization's Office 365 tenant for the SharePoint Online and OneDrive for Business services.

The new conditional access capability is just for SharePoint Online and OneDrive for Business users, though. It's not for SharePoint Server users.

"These policies do not affect SharePoint Server, and we have no information about plans to include on premises SharePoint Sever in the scope of these access policies," Microsoft's announcement explained.

The new conditional access feature is turned off by default. IT pros wanting to use it have to enable it via the console. Microsoft noted some caveats, though, when activating it. If an IT pro omits his or her machine's IP address from the range of whitelisted IP addresses, then it'll "lock out the admin session." In such cases, Microsoft support will need to be contacted.

Conditional access policy configurations using Microsoft's Azure Active Directory Premium service will get "interpreted first, followed by the SharePoint policy," Microsoft explained. For instance, if an IP address was blocked with the Azure Active Directory Premium service, it cannot be enabled using the SharePoint Online conditional access feature.

Microsoft also warned that users of its collaboration applications could see "unpredictable results" under certain conditions when using the new conditional access feature, especially users who aren't on the whitelist.

"For collaborative apps that use SharePoint team sites to provide file storage, such as Microsoft Teams or Planner, users will see unpredictable results when accessed outside the whitelist."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.