We have application on own server that should work with SharePoint Online. To access SP Online we need to have app token/secret - that's fine.
I wonder if there's possibility to restrict access via this token to some location for additional security. Let's say we have some machine with static IP that should connect to SP Online and machines with different IPs should not be able to connect even if they have right token/secret.
You can make use of Azure AD Conditional Access Policies.
The specific scenario you describe here will qualify for a condition based on Network Location. See here:
You just need to make use of location condition by defining Named Locations:
NOTE: This feature does require an Azure AD Premium License. You can compare different editions here
Related
I wanted to see if someone could help me with my capstone project. I selected access control and authentication. I need to help a company having issues with employees being able to open vital documents on the company network. I'm using Microsoft Azure to try and fix the problem. I'm trying to outline what I need to do to create a better access control system using a virtual machine in a Windows environment (1 X domain controller, 1 x clients, 4 users) to deliver a solution. I want to look at implementing DAC, RBAC, MAC, or a combination to help protect the essential information. Can anyone please break down a step-by-step process of what I should do? I need the virtual network and set up a topology. I was thinking about the hub-to-spoke topology, but it can change if something is better to use. In 2018, I last worked with Azure and access control, and I feel that I'm jumping around and missing some areas.
• I would suggest you to first create a set of virtual networks based on your different office locations or the assigned location of your employees. The address spaces used for these virtual networks should also be different and not overlap to avoid policy and access applications to the other networks. Once done, then configure the virtual machines for the concerned employees accordingly and the connectivity solution for them also, i.e., through RDP or Bastion host as such.
• Then, ensure that the user IDs are created according to the employee’s requirement for access to the Azure resources deployed, i.e., the resources may be Azure file share, blob storage, any Web app created or any certificate, secret in the key vault. Then provide access to the concerned user to that Azure resource through RBAC (Access control IAM) by providing the concerned user required access by assigning them roles according to the level of access required for that resource.
• Also, ensure that you have assigned an Azure role assignment to every user though alike if they are using resources on Azure. In this case, you can create a custom role with the required permissions, actions, and data actions necessary for that Azure role. While doing this, you will also be enrolling your users for Office 365 services to have appropriate access to online office software and mailbox. During which, you will need to opt for Azure Information Protection license such that the documents, mails, etc. are protected even after they leave the organization’s domain, i.e., client systems. Also, you would need Azure AD Premium P2 and Enterprise Mobility + Security (EMS) E5 licenses.
Thus, in this way, you can set up your organization’s infrastructure in Azure with secure and proper access. Please find below links for more information regarding the specific feature configuration: -
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first
The above link describes the use and configuration of Access packages in Azure and how you can use them to create a workflow for approval and requests for assigning the required resources for a particular project in Azure. Similarly, regarding the implementation of Azure Information Protection, kindly refer to the documentation link below for configuration and more details: -
https://learn.microsoft.com/en-in/previous-versions/azure/information-protection/infoprotect-quick-start-tutorial
https://learn.microsoft.com/en-us/azure/information-protection/faqs
I want to allow internal users to access SharePoint sites only from selected IP ranges. However, for external users and guest I want to allow to access it from any network.
So, I created a conditional access policy from Azure AD to implement it which was successful as expected. But there is another problem that I was not aware of, it is now blocking internal users to sign in to MS Teams from outside of the whitelisted IP ranges which I dont want. So is there any workaround to include only sharepoint not the MS teams.
Thanks
If you create a conditional access policy in Azure AD, the policy will be applied to all Microsoft 365 apps like SharePoint, Teams and so on. You can set access control policy only on SharePoint level to solve this issue. Don't forget to remove or disable the policy you set in Azure AD before doing this.
Go to SharePoint admin center.
Select Policies from the left-side navigation.
Select Access control.
Select Network location.
Turn on Allow access only from specific IP address ranges and enter IP addresses or ranges in the below textbox.
I want to publish a web application to a Azure Web App and enable Organizational Authentication during the process. The wizard offers the following options:
I've added two custom domains to our Office 365 subscription that also show up in the corresponding Azure AD tenant.
Instead of using the default domain mycompany.onmicrosoft.com I want to use one of those custom domains so that this domain is shown to the user on various web pages that handle authentication and consent. I was able to use the custom domain without any problem when configuring Azure AD authentication for the web project.
When using the custom domain in the wizard (field domain in the screenshot), I first need to enter my O365 credentials. Shortly after, the following error is displayed:
Provisioning the destination end point failed with the error:
'The user account 'x#y.z' doesn't have the required permissions to access the domain 'y.z'.'
If you don't intend to enable Orgnizational Authentication during
publish, please turn that option off in the publish dialog.
The Directory Role of the account is Global Administrator and I've already registered multiple apps using this account. So I don't think that this has anything to do with permissions.
Do I have to use the *.onmicrosoft.com domain or can I solve this in a different way?
As a sidenote (just if this is makes a difference): the web app resides in a Azure subscription that belongs to my Microsoft account whereas the O365 Azure AD is administered by my work account and does not belong to a subscription. Of course, not the most straightforward way, but I guess pretty common for Microsoft partners as the Azure benefits can only be actived on a Microsoft account even if the partner already has a O365 subscription.
To use the custom domain for the organization authentication we need to enable it as the primary domain.
You can check it from the old Azure portal here like figure below:
Update( change the primary domain in new Azure portal)
locate Azure Active Directory->Domain names->select the domain which want to set as primary domain like figure below:
Has anyone successfully restricted Visual Studio Team Services access by IP address? The following blog post says it is possible by connecting the VS Team Services with Azure AD.
https://blogs.technet.microsoft.com/ad/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/
After signing up will see the Visual Studio Team Services application on the application tab of the Azure AD portal. You can then go to the application's configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)
I have connected Team Services with Azure AD, but when I go in the Azure AD portal, click on applications under my domain and then click on "Visual Studio Online" all I get is a "Dashboard" with usage graphs. There is no "Configure" tab as the blog post says there should be. I have backed my Team Services account with TFS. Any ideas?
Thanks.
Think I found the issue. In the below link it says:
These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/
Since I'm not subscribed to Azure AD Premium that is most likely why I don't get the configuration tab and the option to restrict access by IP address. Some what annoying that you would have to pay for Azure AD Premium access to get such a standard feature when already paying for VS Team Services.
You can do this in the AD: azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work:
Blocking external access
In other cases only users on the corporate network may be allowed to
access a SaaS application. This rule can help prevent data leakage and
in some cases can help you meet regulatory requirements.
When an app is on-premises you would have easily been able enforce
this policy at your network boundary. With the app in the cloud this
becomes more challenging.
We've helped address by adding the block access when not at work rule.
This rule can be applied to any of your Azure AD applications that
support conditional access.
The page below shows the option on the same Twitter configure tab as
above.
When you choose this option only users coming from an IP address that
falls within an IP range you have identified will be allowed access to
the application.
I am a developer working on a think client application. One of our customers wants us to provide hosting for the application and I have set up azure remote app for this. The customer is asking if it will work with single sign on.
From what I can see it can work if I have access to their directory. For example if I could join their domain or change my default directory to be their directory it should work. Is this good practice though? From what I see the only way to do this is give their administrators access to my subscription.
Is there another way?
Azure Remote App offers two deployment options
- RemoteApp cloud deployment enables user logon with Microsoft account or corporate credentials federated with Azure Active Directory
- RemoteApp hybrid deployment enables full access to on-premises network, and user logon with corporate credentials federated with Azure Active Directory
So in both cases, you may have single sign on for your customer application, provided his current identity provider (for example On premise Active Directory) is federated with Azure Active Directory
Hope this helps
Best regards
Stéphane