IP based Conditional Access in M 365

Microsoft 365 offers some extra security benefits over traditional on-premise infrastructure. Deducting the costly infrastructure that were required earlier, eliminating the advanced IT knowledge that used to be essential, along with bundle of services like 100 GB mailbox (based on the package), online meetings, document collaboration, 99.9 % uptime, and enhanced flexibility of cloud platform allowing businesses to provide users with only the services they need on-demand anytime, anywhere to access emails, documents, contacts, and calendars on cross-platform architecture.

For a lot of companies, Microsoft 365 solves the problem of not investing in the costly infrastructure, or complicated exchange deployments and HA/DR as data are currently in the cloud freeing up the IT department from all hassles.

From the flexibility point of view, M 365 in terms of any time and Anywhere Access offers the following functions.

• Microsoft 365 can be accessed from anywhere – not just in the office, but from any part of the world through internet access.
• Microsoft 365 can be accessed from any device – not just corporate-owned devices, but from any device (Personal Windows/Mac laptop, tablet, phone, any device with a browser or Outlook client installed).
• Microsoft 365 can be accessed by just a username and password.

On organizational perspective to data loss prevention, this causes the following issues:

• Emails can be cached offline and copied elsewhere on a home PC using Outlook or any other compatible desktop client.
• Mail can be downloaded to mobile devices and copied to other locations.
• We all know cloud storage service OneDrive for Business can be synced offline to any compatible device in our home or any other location and all data copied elsewhere/shared.
• SharePoint Online can be synced offline on any compatible device like home PC/Laptop etc. and all data copied elsewhere/shared.
• By default the Multi-factor authentication method is not turned on which means to login only a username and password are required.

The earlier solution to these complexities with on-premise environments was the use of VPNs.  VPNs used to control who can and cannot connect to on-premise data. But, once we start moving data/resources onto the cloud, we need to implement different solutions to control access to our data.

In order to enhance the access control security, Microsoft introduced Conditional Access to resolve this problem. Conditional Access allows administrators to control what Microsoft 365 apps users can gain access to based on the validation of certain conditions.

These conditions are applied by constructing a policy (or multiple policies) to grant users with the access to the Microsoft 365 resources.

To start with, you have to first login to the Microsoft Admin Console (www.admin.microsoft.com) using your Global Admin credentials and open the Azure Portal.

Now, in the Azure AD portal, select All Services > All > Azure AD Conditional Access.

The first thing you need to create is a trusted network location and then set up the policy, based on which the conditional access will work.

The following are the overview of the conditions that can be controlled by the policy:

• Users/Groups – Which users do you want to control – Users can be included/excluded from the policy as per the requirement. 

• Cloud Apps – Which apps do you want to control and provide selective access? Conditional Access does not need to be applied to the whole Microsoft 365 package, One has the option to be more granular and just control access to specific apps – E.g. Exchange Online.

• Client App – One can control what app/software the user is connecting from to the data – E.g. allow browsers by disabling the mobile and desktop Outlook apps.

• Device Platform – One can control what devices users can connect from – E.g. allow Windows and iOS but block Android phones.

• Location – One can control what IPs or a range of IPs that can connect with Microsoft 365 – E.g. could limit this to the office public IP which is static in nature.

• Sign In Risk – Control signs in if Office 365/Azure thinks the sign in is not coming from an authenticated user – E.g. if someone signs in from London followed New York 30 mins later.

Based on the conditions above, access can be allowed to Microsoft 365 services with the following conditions:

• Require multi-factor authentication – A user is allowed to log in but its mandatory to complete additional security checks before log in, e.g.

• Phonecall
• Text message
• Mobile app

• Require devices to be marked as compliant – The device used to login must be Intune compliant, E.g. the device must match the Intune compliance policies to be able to connect.

• Require domain joined (Hybrid Azure AD) – The devices must be a Hybrid Azure AD joined – E.g. Mobile Devices Azure AD registered and domain joined machines are set to automatically register in their Azure AD.

• Require approved app – You can select the requirement to allow access if and only if a connection establishment attempt was made by an approved client application. These applications support Mobile Application Management (MAM) policies, so administrators can encapsulate security around these applications (e.g. stop copying and pasting information out of these applications).

Now that we have the complete overview of the conditional access control policy module, let us now proceed towards IP Based Conditional Access.

1. Create Trusted Locations Based on the IP’s. Please do note that it's always recommended that you use this if and only if you are having static IPs.

2. Enter the IP details as follows. (Format: IPv4 Address/27 [1.2.3.4/27]).

3. After saving the IP, we need to set up the policy. In the very beginning Assign a policy name.

4. Select the users whom we need to block from logging in from different IP addresses.

5. Now choose the application or Cloud App that you want to block for that user or the group of users.

6. Now set the condition for the access. In your case of IP restriction, Select the IP that was earlier created in step 1 under Named Locations. You can see from the screenshot below that any Named locations you defined will appear in the list and you can select one or more of them for each of your policies, either as an included or excluded location. You can still create a policy that does not depend on the network location.

7. Now it's time to Grant the access based on the IP. You can either completely block the access to the user or a group of users or you can manually set some access verification conditions.

8. Now, set the Execution Policy to ON and save the policy.

After setting up the policy, when the particular user tries to log in from any other IP address except the mentioned one in the policy, the user will be restricted from having access. Please refer to the screenshot below.

Conditional Access will not work in the following situations:

• Client Apps – Not all clients support Conditional Access – the Client App needs to support Modern Authentication features. e.g. Outlook 2016 or Outlook 2013 (with a reg key change).
• Any Custom developed application without Microsoft's Modern Authentication features embedded within it will support Conditional Access.
• Outlook 2010 will not work with Conditional Access and the user will be allowed to connect in; to lock down Outlook 2010 based on IP Ranges requires ADFS claims rules.

Please note: Before applying for conditional access, do note that the users with Administrative rights are excluded from the policy assignment list. If any feature goes wrong then you may lose access to all the services.

Conditional Access not only enhances your company’s grip on confidential data but also reduces the change of security bleach through multiple ways from internal as well as external threats.