• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 65
  • Last Modified:

Create a GPO that allows only email access via Office 365

How do I create a GPO in Windows server 2008 that would allow users to only access email from hosted exchange via Office 365.  I dont want them to be able to surf websites.
  • 2
1 Solution
Michal ZiembaIT System ArchitectCommented:
First of all get familiar with this document: Office 365 URLs and IP address ranges
Based on this you can build some firewall rules to allow users to access Office 365 services.
And in this article you can find some details how to build Firewall rules using Group Policy: Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
Rob KnightConsultantCommented:

Are your users using laptops and mobile or desktops and Office based on a LAN?

You'll need to determine where this will happen - if it's on the LAN network, then your router/firewall/proxy should be configured to do this. Rather than the devices themselves.

For when they are mobile, you'll need to create some GPOs which apply to the public/private firewall profiles - Domain will be enabled if the devices can authenticate to a Domain controller. However, be aware that changes to these will impact the endpoints ability to authenticate so your firewall rules will need to be configured carefully.

You will need to change the default allow Oubound All policy on the private/public firewall policy to Block, Except.

Your outbound rules will need to include:

DHCP - ability to get an IP address
DNS resolution - to resolve hosts etc.
LSASS to your DCs for Kerberos and LDAP
NCSI - to detect internet connections for NLASrv
HTTPS to Office 365 IP ranges

Hope this helps.

Create a firewall policy that only allows HTTPS to go to the relevant Office 365 ranges.
danmoroAuthor Commented:
This is just for a handful of desktops inside a LAN.
Michal ZiembaIT System ArchitectCommented:
If you would like to limit access to the Internet and allow Office 365 on desktops inside the LAN, then there are several solutions:
  1. If desktops PCs are on separate LAN and if you have advanced firewall on-site, you can build firewall rules based on the article I mentioned above.
  2. If you want to limit access to Office 365 for the whole LAN and if and if you have advanced firewall on-site, the same as point 1.
  3. If you want to limit the access to Office 365 on selected PCs (i.e. based on AD Group membership), the Group Policy and firewall rules are the solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now