How to block OWA externally for specific AD Group

Question

I want to share my experience configuring a special scenario to restrict OWA externally for specific AD group. (This is not to request help, it is to help others.)

Prerequisites:

• Configured Exchange Server to use ADFS authentication
• Deployed ADFS and WAP
• Use this Microsoft procedure as a reference: https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019
• Within the AD, two different security groups have been created to control external access:
  • One to allow OWA access from the Internet
  • 
  • And another to Deny OWA access from the internet
  • 

Once the rules have been created within the ADFS and WAP, an Access Control Policy rule is created.

• 
• Which in turn consists of three different rules:
• 
• 
• 
• 

Then you add the users you want to allow or deny access from the Internet by adding them to the different groups. For internal access, OWA works without adding the users to any AD group.

It worked perfectly for me, thanks to the support of the Microsoft ADFS technician and a good friend!

Thank you so much, O.A.!

Answer 1

Hello

Thank you for posting on the Microsoft Community.

Thank you for sharing and for the expertise and literacy shown in this case.

Regards

Runjie Zhai

Answer 2

Hello Runjie,

Your welcome!