Restrict Azure web app access to Security Group/Distribution group - azure

I have a web app that I am hosting on Azure and would like to know how I can make that site accessable by only a security group/distribution list within Azure.
Now, the url is accessable by anyone even outside of my tenant which I am trying to avoid - What route would I go down to restrict it down to groups? I can't do it by users because there are 1,000+ users.

It appears like you can only restrict an Azure Web App access via IP addresses or virtual networks. Below is a quick summary. However, I have attached a link to the MS Docs that explains in more detail how to implement adding these restrictions.
Go to your service in the Azure Portal > Networking > IP Restrictions
Add Rule
Input IP/subnet mask
Note: After you add a rule, it will create an implicit deny by default for anything requests not matching the rules.
This link also may be helpful if you want to edit the web.config instead of using the Azure Portal.

Related

Restrict Frontdoor url only for office network or setup basic auth on storage blob service

This is our setup so far.
1)On production, we are hosting static web pages through Azure storage account, we have configured it on Frontdoor with a custom DNS.
We have a requirement such that few of the static web page urls should ask for basic authentication on the browser.
We have configured this on Frontdoor rulesetup based on url pattern.
So far, this works fine.
2)Now, the main issue is with replicating the same setup for UAT purpose. Since its UAT, we cannot expose it globally. It should be accessible to only the people connected to office network, either directly or through vpn.
If we configure it in Frontdoor, we have the risk of exposure.
If we do not configure it in Frontdoor, we can't have basic auth setup feature which we setup through Frontdoor Ruleset.
We have explored WAF(security) policy on Frontdoor, but we do not have a specific range of IP addresses that can be configured in WAF custom ruleset.
• To block the frontdoor URL for office network without blocking the basic authentication setup feature for a few web pages on the static website URL, you should configure the conditional access policy for this purpose.
To configure the conditional access policy for all the Azure AD users connecting in your office network, you will have to ensure that you have Azure AD Premium P2 licenses available and the devices through which users are connecting to the office network are joined/registered with Azure AD.
Please refer to the below snapshots explaining the configuration of Azure AD conditional access policy for this purpose: -
Thus, in the above way, you can block the front door URL from being accessed by people in the office network. You can configure the named locations also in this policy accordingly to block the access from these locations based on trusted IP ranges, added layer of authentication and country based locations too as shown above.
For more information, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location

restrict access to azure web app without ip filtering

I have a "public" website deployed on azure. I want to get access only from a limited number of authorized tester persons.
I cannot use ip restriction because all of us have dynamic ip and we are dislocated all over the world.
Here the solution I have adopted, but I am not confindet is the correct.
I have enabled authentication.
I have also created users in active directory and added to my application:
Everything works. Now, before access to the website, people must login.
But... what I do not like is that people can access to portal azure with the email I have authorized on active directory. They do not see anything, but they can access into that directory. is there a way to avoid this?
Does exists a better solution to restrict access to my website?
Thank you
You can restrict access to Azure Portal with Azure AD conditional access
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management
https://learn.microsoft.com/en-us/answers/questions/112173/can-we-restrict-azure-portal-httpsportalazurecom-a.html#:~:text=Yes%2C%20we%20can%20restrict%20access,Azure%20AD%20Premium%20P1%20License.&text=as%20shown%20below%3A-,Navigate%20to%20Azure%20Portal%20%3E%20Azure%20Active%20Directory%20%3E%20Security%20%3E%20Conditional,and%20Groups%20%3A%20Select%20required%20users.

How to restrict access to some URL-path of Azure Web service from Internet?

I have a classic ASP.NET 4.7 Azure Web service with an Web API.
How to restrict access to some URL-path of Azure Web service from Internet while allow to access the whole web site, and allow access to the restricted path from a VNet?
I tried to solve the problem using Azure Application Gateway, but it does not work properly. Here is the question How to route to another path with Azure Application Gateway?
From perspective of coding, you could use this similar way instructed here to authorized on specific URL based on IP address.
From perspective for Azure Application Gateway, you could try using custom rules:
Allowing and blocking traffic is simple with custom rules.
For example, you can block all traffic coming from a range of IP addresses.
You can make another rule to allow traffic if the request comes from a specific browser.
You can leverage "RequestUri" variable in Match variable section. (Not professional on WAF, so didn't test this way)

Azure - Allow access to a website deployed on Azure App Service only for a single country

I have website deployed on Azure App Service and I want to restrict access to my website from any other country accessing it but only a specific country can access that website.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Even though AppService does not provide, Yes this can be done with Azure CDN provider does via the Geo Level Filtering. More details can be found here.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Agree with Sajeetharan. It seems Azure Web App could not restrict the access just by country directly. You can have a try with Azure CDN, it can restrict the access by country.
But, as the comment you said, you do not have to restrict CDN, in this case, you can consider to restrict IP addressees in Azure. You can also use IP Restrictions menu in Azure app services to add restrictions:
You can check the document Azure App Service Access Restrictions for some more details.
Besides, you can try to use web.config or use IP restrictions feature of the webapp:
Check this thread for some more info.
Hope this helps.
Answer is: Azure Front Door with Front Door WAF policy
After going through with different Microsoft documentation I finally implemented the solution with Azure Front Door where you can set Frontend hosts and Backend pools with forwarding/redirecting. And in Frontend hosts, you can select WAF policy.
In the backend pool, you can select any application e.g. App Service or any IP where your app is deployed.
In WAF policy there are multiple options to restrict your traffic and one of them is geolocation restriction.
Just apply geolocation restriction according to your desired country and it will work like a charm.

Azure AD B2C: Policy IP Addresses to Allow Access to Custom Policy HTML Templates

We are using Azure AD B2C (still in preview) to authenticate customers to our application.
We are going to use custom html templates for our sign-in experience and sign-up (gives us more power over format and links outside of MS content).
Since our development environment is on a restricted network, the Systems Engineers would like to restrict access to those resources to a range or set of IP Addresses.
We could just monitor traffic while we test, and then add those IPs we see, but it would be nice if there were a list somewhere (I've looked, but I can't find anything).
At the very least and regardless, we will end up restricting access from outside the network to just those specific files.
Does Microsoft provide that range of IP addresses that will be requesting the content?
As it turns out, I was misunderstanding how the templates work. Microsoft uses JavaScript to download the custom template, so it's actually the users browser that retrieves the content and not Azure servers. This is why you need to enable CORS in your application.
The solution is to simply allow access to login.onmicrosoft.com from the DEV and TEST environments so that users can be redirected to the sign-in and sign-up pages/policies. Access to your environments does not need to be given to any Microsoft servers.
For those interested in seeing the ranges anyways, I found the following file by searching for "ip addresses used by azure": https://www.microsoft.com/en-us/download/details.aspx?id=41653

Resources