Its possible to limit web-mail (OWA) access to an IP range and block all external access. Please refer following information for the same.
We can achieve this using Azure Conditional Access policy.
- Please logon to Azure portal then navigate to Azure Active Directory.
- Open the tab Conditional Access and then click on +New Policy
- You can directly access following link to reach to Conditional Access page – https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
- Give name to your policy, Say – Block OWA External Access
- On the Grant tab select Block access.
Then please click on Users and Groups where we can choose which users and/ or groups will come under this policy. It is recommended to test the policy with test user’s small group to test your implementation. If needed you can also select a user or group which will be excluded from the policy.
Now we need to open Cloud apps, mark Select apps, browse for Office 365 Exchange Online and select the Exchange Online app
Then Now under conditions lets select Device platforms tab. Here you are able to select on which platforms you want to block access to OWA
Now you want to block external access to OWA, but allow internal access we need to make use of the condition Locations. For this open locations tab and then select Any location under Include.
Under Exclude we can select MFA Trusted IPs.These MFA trusted IPs are managed from Azure AD, Conditional Access, Named Locations.
Then select Client apps and only select Browser only.
Now select done option and create policy by clicking on create
To verify the functionality from an external location, open up a browser and visit https://portal.office.com/myapps
In Office 365 My apps portal, when you click on Outlook you receive a message like below and Outlook (OWA) is blocked.
Everything about Office 365 and Azure Cloud 