Conditional access is a set of policy configurations which controls what devices and users can have access to different applications. Specifically talking about Microsoft environment, conditional access policies work with Office 365 and other Software-as-a-Service (SaaS) applications configured in Azure Active Directory.
In simplest term, conditional access policies are if-then statements i.e., if a condition is met, then the necessary action can be taken for that condition. Example: A user wants to access any Office 365 application and is required to perform multi-factor authentication (MFA) to access it.
In this blog, I will demonstrate how to restrict access to different applications from different IP addresses based upon the location of the offices.
Consider that there are three physical offices of an organization, one in USA, one in Canada and one in India. Each office has two different Internet Service Providers where each ISP provides 5 static public IPs to the office location. This means that a single office is provided with a total of 10 public IPs. Based on this setup we will implement the following scenarios:
Note: This is just an arbitrary scenario for our demo purposes for writing this blog to showcase the capabilities. You can learn the implementation aspect and tweak your scenarios according to your requirements.
Before setting up our conditional access policy, we need to define named locations. This can be done by logging into Azure portal under Azure Active Directory > Security > Conditional Access > Named Locations.
We will configure three named locations by adding public IP addresses of the respective offices:
Note: - We are taking arbitrary IPs in this case by picking a range from defined public IP addresses range for all the three countries. If you are implementing for your scenario, make sure to change the IP addresses according to your requirements.
For restricting access from a specific IP address range, click on ‘IP ranges location’ to add an IP address range from where you want to block or restrict access to your application.
To define a named location by IPv4/IPv6 address, one needs to provide:
Login to Azure Portal, then navigate to Azure Active Directory > Security > Conditional Access > Named Locations.
1. Click on ‘IP ranges location’ to add IPs and enter the name of the Location as shown below:
2. Click on ‘+’ button to add IP address in CIDR format and click Add, to add more than one IP click on plus button again.
4. Finally click on create and you will have your IP ranges and your location defined.
We have configured and shown the named location only for Canada. Adding IP range would be the same procedure for USA as well as India as shown above.
To grant access from the given set of public IP addresses without requiring multi factor authentication, we will add range of IPs for trusted MFA’s specifically.
To configure MFA trusted IPs, login to Azure Portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs.
As a result, the users trying to access application from the IPs defined in the trusted range will skip MFA and will be granted access by only entering their username and password.
We can restrict access with respect to country as well. But in our situation, it is not required as we have already setup the named location for IP addresses. All other IP’s or countries will be restricted access automatically. Therefore, there is no need to setup the named location for country.
Defining named location for country varies from case to case, still I will be showing how you can configure it if required. For restricting/allowing access from a country, we will first go to named locations and then click on ‘countries location’ to add countries.
To define a named location by country, login to azure portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs. an individual needs to enter:
2. Select the country/countries you wish to block/allow access and click Create.
Now that we have setup the named locations for IP address, we will be configuring the conditional access policy. To create a new conditional access policy, login and go to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies.
To configure a conditional access policy, we need to define:
Note: Make sure that you do not assign the policy to all users and administrators at once. Always assign the policy to some users with no assigned roles first, enable policy in Report-only mode to test and make sure the policy works as expected. Otherwise, you have the potential to lock yourself out.
To know more about all other components, you can check out the Microsoft’s official conditional access documentation.
1. Log in to azure, go to Azure Active Directory > Security > Conditional Access > Policies. Click ‘New Policy’ to create a new conditional access policy.
3. Name the policy.
4. Select the user(s) to whom this policy should be applied.
Users and Groups > Select users and groups > search a name of user/group. Click Select.
5. Select the condition for location.
i. Click on Condition.
ii. Click Location
iii. Select yes to configure (i.e., include/exclude locations from this policy).
6. Include location.
Select any location.
7. Exclude the named locations.
Selected Locations Name: USA
8. Under Access Controls, Block Access.
Select ‘Block Access’ radio button.
7. All configurations are done, now we need to enable and create the policy.
Enable Policy: Report-Only or On
Click Create
Simply put, this whole configuration means that if specified users are trying to access SharePoint Online from any other location than USA, they will not be granted access.
Similarly, in this case, we did the same configurations as previous one with the difference that here the application is Exchange Online, we are excluding ‘Canada’ and including both ‘India and USA’. This policy will allow users in Canada office to access Exchange Online whereas users of India and USA will be restricted from accessing it.
Equivalently, the same configuration with the difference being that application this time is PowerBI service, we are excluding ‘India’ whereas including ‘USA & Canada’ under locations. As a result, this policy will allow users in India office to have access to PowerBI service and the employees of USA and Canada would not.
Let us try to access SharePoint Online from USA, Canada, and India. As per the policy created by us, one should be granted access while trying to access the application from USA office network. Whereas the access should be restricted for users trying to access it from Canada and India offices.
SharePoint Online is accessible
SharePoint Online access is restricted.
Users trying to access Exchange Online (from Canada office), and PowerBI service (from India office) consequently, will be allowed to sign into the applications. Contrarily, if they trying to sign into Exchange Online (from USA or India office), and PowerBI service (from USA or Canada office), they will be shown a common error message.
Therefore, the policy is successfully implemented, and we secured access to the applications from defined locations only. Access from all other locations and IPs not defined is blocked.
What if someone tries to access applications from any other non-windows device? The error message would remain the same except the changes in the user interface.
The Ultimate Guide for securing Microsoft 365 Business email
This blog discusses how cyberattacks originating from business emails can be minimized and prevented. Alongside, a bonus guide is also mentioned that has a full in-depth analysis and instructions that are mentioned for advanced business email security in M365 that is completely free to download.
Is Documentation Enough to clear AZ-104 Exam?
This blog covers some important information that is to be kept in mind before giving the AZ-104 exam. Also, it majorly briefs whether the Microsoft documentation is enough to clear the exam or not.
