We have Seamless SSO with Pass through authentication and Azure AD Free. This is all in place to allow access to PowerBI to work "seamlessly". We also have Office 365 but it isn't being used.
What I would like to do is block access to PowerBI from outside the network. Is there any way I can achieve this without upgrading to Azure AD Prem?
When you use Seamless SSO with Pass-through authentication. The password validation requests were sent to on-premises Active Directory domain controller (DC) to evaluate. For more details, you can refer to How does Azure Active Directory Pass-through Authentication work
If you'd like to block access to PowerBI from outside the network, you may block access to PowerBI based on the location in your on-premise environment since the password authentication happens in the on-premise environment using Pass-through authentication. Unfortunately, for now, there is not a good way to achieve this in the local environment.
It is recommended to use conditional access with an Azure AD Premium license.
Yes it is possible to do this with Conditional Access in Azure Active Directory. This is a premium feature and requires that the users who needs the Conditional Access gets assigned an Azure AD Premium license or any SKU containing this license.
In Azure AD you would make a conditional access policy, in this policy you can define:
If it is for all PowerBI Users you could make a Policy that only reacts on the PowerBI service, then say that it should deny access.
Then as an exception to the policy you say that if you come from the allowed IP's the Policy does not apply.
That way you lock it so it is never possible to log in if the requirements are not met. As a note, if you wanted to setup access from external but wants extra security you could say that it requires MFA when the policy is met.
That way if you access externally you are promted for MFA, but internally you will not since the policy does not apply if you come from the internal IP's.