http://technet.microsoft.com/en-us/library/hh526961(WS.10).aspx

 

Some organizations may want to create policies that limit access to Microsoft ® Office 365 services, depending on where the client resides. For example, you might want to:

  • Block all extranet client access to Office 365
  • Block all extranet client access to Office 365, except for devices accessing Exchange Online for Exchange Active Sync on a Windows mobile device

Active Directory Federation Services (AD FS) 2.0 provides a way for organizations to configure these types of policies. Office 365 customers using Single Sign-On (SSO) who require these policies can now use client access policy rules to restrict access based on the location of the computer or device that is making the request. Customers using Microsoft Online Services cloud IDs cannot implement these restrictions at this time.

You can use an AD FS 2.0 federation server proxy or a third-party proxy to forward requests from clients residing outside the corporate network to the internal Federation Service.