What is Conditional Access?
Conditional access is a set of policy configurations that controls what devices and users can have access to different applications. Specifically talking about the Microsoft environment, conditional access policies work with Office 365 and other Software-as-a-Service (SaaS) applications configured in Azure Active Directory.
In the simplest term, conditional access policies are if-then statements, i.e., if a condition is met, then the necessary action can be taken for that condition. Example: A user wants to access any Office 365 application and must perform multi-factor authentication (MFA) to access it.
In this blog, I will demonstrate how to restrict access to different applications from different IP addresses based upon the location of the offices.
Consider that there are three physical offices of an organization, one in the USA, one in Canada, and one in India. Each office has two different Internet Service Providers where each ISP provides five static public IPs to the office location. This means that a single office is provided with a total of 10 public IPs. Based on this setup, we will implement the following scenarios:
- SharePoint Online should be accessible through US office locations and restricted for Canada and India.
- Exchange Online should be accessible through Canada office location and restricted for US and India.
- PowerBI should be accessible through India office locations and restricted for Canada and the US.
- Users should not be prompted for Multi-Factor Authentication if they are coming from known office locations.
Note: This is just an arbitrary scenario for our demo purposes for writing this blog to showcase the capabilities. You can learn the implementation aspect and tweak your plans according to your requirements.
- An active Azure subscription with Global Administrator role.
- At least an Azure AD Premium P1 license, if additional enhanced and security features are required, you can compare the licenses here.
- Three non-administrator test users whose password you know.
Before setting up our conditional access policy, we need to define named locations. This can be done by logging into the Azure portal under Azure Active Directory > Security > Conditional Access > Named Locations.
We will configure three named locations by adding public IP addresses of the respective offices:
Note: - We are taking arbitrary IPs in this case by picking a range from defined public IP addresses range for all three countries. If you are implementing your scenario, make sure to change the IP addresses according to your requirements.
For restricting access from a specific IP address range, click on ‘IP ranges location’ to add an IP address range from where you want to block or limit access to your application.
To define a named location by IPv4/IPv6 address, one needs to provide:
A Name for the location
One or more IP (IPv4 or IPv6) ranges (in CIDR notation)
Login to Azure Portal, then navigate to Azure Active Directory > Security > Conditional Access > Named Locations.
1. Click on ‘IP ranges location’ to add IPs and enter the name of the location as shown below:
3. Finally, click on create, and you will have your IP ranges and your location defined.
We have configured and shown the named location only for Canada. Adding IP range would be the same procedure for the USA as well as India, as shown above.
MFA Trusted IP’s
To grant access from the given set of public IP addresses without requiring multi-factor authentication, we will add a range of IPs for trusted MFA’s specifically.
To configure MFA trusted IPs, login to Azure Portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs.
1. Once you click on ‘Configure MFA trusted IPs’, you will be prompted to a new page where the required configurations can be done. Enter IPs in the text field area.
2. Click Save.
As a result, the users trying to access the application from the IPs defined in the trusted range will skip MFA and be granted access by only entering their username and password.
We can restrict access for a country as well. But it is not required in our situation as we have already set up the named location for IP addresses. All other IPs or countries will be restricted access automatically. Therefore, there is no need to set up the named location for the country.
Defining named location for a country varies from case to case. Still, I will be showing how you can configure it if required. For restricting/allowing access from a country, we will first go to named locations and then click on ‘countries location’ to add countries.
To define a named location by country, login to azure portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs. an individual needs to enter:
1. Name of the location/country.
2. Select the country/countries you wish to block/allow access and click Create.
Conditional Access Policy:
Now that we have set up the named locations for IP addresses, we will be configuring the conditional access policy. To create a new conditional access policy, log in and go to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies.
To configure a conditional access policy, we need to define:
- A name for the Policy
- Which users this policy needs to be assigned to
- Select an application on which action will be performed.
- Conditions that will apply
- Access Controls
- Grant or Block Access
- Session to configure the sign-in frequency and to use app enforced restrictions.
Note: Make sure that you do not assign the policy to all users and administrators at once. Always assign the policy to some users with no assigned roles first, enable policy in Report-only mode to test, and make sure the policy works as expected. Otherwise, you have the potential to lock yourself out.
To know more about all other components, you can check out Microsoft’s official conditional access documentation.
SharePoint Online should be accessible through US office locations and restricted for Canada and India.
1. Log in to azure, go to Azure Active Directory > Security > Conditional Access > Policies. Click ‘New Policy’ to create a new conditional access policy.
3. Select the user(s) to whom this policy should be applied.
Users and Groups > Select users and groups > search the name of the user/group. Click Select.
Application Name: Office 365 SharePoint Online.
- Click on Condition.
- Click Location
- Select yes to configure (i.e., include/exclude locations from this policy).
6. Include location.
Select any location.
7. Exclude the named locations.
Selected Locations Name: USA
8. Under Access Controls, Block Access.
Select the ‘Block Access’ radio button.
9. All configurations are done, now we need to enable and create the policy.
Enable Policy: Report-Only or On
Simply put, this whole configuration means that if specified users are trying to access SharePoint Online from any other location than the USA, they will not be granted access.
Exchange Online should be accessible through Canada office location and restricted for US and India.
Similarly, in this case, we did the same configurations as the previous one with the difference that here the application is Exchange Online. We are excluding ‘Canada’ and including both ‘India and the USA.’ This policy will allow users in the Canada office to access Exchange Online, whereas users of India and the USA will be restricted from accessing it.
PowerBI should be accessible through India office location and restricted for Canada and the US.
Equivalently, the same configuration with the difference being that application this time is PowerBI service. We are excluding ‘India’ whereas including ‘USA & Canada’ under locations. As a result, this policy will allow users in the India office to have access to PowerBI service, and the employees of the USA and Canada would not.
Let us try to access SharePoint Online from the USA, Canada, and India. As per the policy created by us, one should be granted access while accessing the USA office network application. Whereas the access should be restricted for users trying to access it from Canada and India offices.
- Accessing SharePoint Online from USA office network:
SharePoint Online is accessible
- Accessing SharePoint Online from India and Canada office:
SharePoint Online access is restricted.
- Accessing Exchange Online from Canada office:
- Accessing Exchange Online from India and USA office:
- Accessing PowerBI Service from India Office:
- Accessing PowerBI Service from USA and Canada Office:
Consequently, users trying to access Exchange Online (from Canada office) and PowerBI service (from the India office) will be allowed to sign into the applications. Contrarily, suppose they are trying to sign in to Exchange Online (from the USA or India office) and PowerBI service (from the USA or Canada office). In that case, they will be shown a common error message.
Therefore, the policy is successfully implemented, and we secured access to the applications from defined locations only. Access from all other locations and IPs not defined is blocked.
What if someone tries to access applications from any other non-windows device? The error message would remain the same except for the changes in the user interface.
Written By- Raghav Jain
(Cloud Security Engineer)
Written By- Raghav Jain
(Cloud Engineer Trainee)
Peer Reviewed By- Jasjit Chopra
Peer Reviewed By- Jasjit Chopra
Graphics Designed By- Sanika Sanaye
(Creative Design Director)
Graphics Designed By- Sanika Sanaye
(Creative Graphic Designer Trainee)