Control access based on network location or app
To prevent users from accessing OneDrive and SharePoint content on devices outside of specific domains, and to prevent them from accessing files in apps that don't check for device status, use the Device access page of the OneDrive admin center.
Control access based on network location
You can choose a specific IP addresses or IP address ranges from which you want to allow users to access their OneDrive files. For example, you might want your users to only access OneDrive files using network addresses that your organization owns.
To allow access only from defined network locations
Under Control access based on network location, select the Allow access only from specific IP address locations check box.
Enter the IP address ranges that you want to allow using CIDR notation. For example: 172.16.0.0, 192.168.1.0/27, 2001:4898:80e8::0/48. Enter one IP address range per line, and make sure there are no overlapping IP addresses.
Click Save on the Device access page.
Control access from apps that don't use modern authentication
Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure.
To block access from apps that don't use modern authentication
Under Control access from apps that can't enforce device-based restrictions, clear the Allow access from apps that don't use modern authentication check box.