Using AD Logon Restrictions along with ADFS/Directory Sync works fine to block OWA access during a non-business hour schedule because a user is unable to login through the web form. Users are still able to conduct e-mail business on their smartphones through ActiveSync during those non-business hours though. We need to prevent ActiveSync from syncing to Office365 based on a timed schedule of when it would and would not work. This should also be based on security groups and not just an all or nothing approach.
Reply of user in old discution:
ActiveSync requests hit different endpoint on the AD FS, so make sure you have included it. I'm not sure that you can avoid the token caching however (i.e. user that logs 10 mins before the restrictions are in effect will be happily using the mobile device for the next few hours).
someone already managed to configure the activesync so that it complies with the same authentication rules that owa ?