Realtime Service requires a service account without MFA, which in principle exposes an angle of attack in an O365 organization. This article describes how you can use Azure Conditional Access to limit the service account login to a single or specified set of IP addresses. Any attempt to log in from elsewhere will result in this error message:
Azure AD Named location
Access the Azure portal, and navigate to Azure AD Named location.
The following dialog uses the new preview as it was at the time of creating this document.
Steps are illustrated in the graphics below, and includes the following:
1. Create a new IP ranges location.
2. Define a name of the location.
3. Add an IP range matching your Resource Central server public IP according to the CIDR notation. (/32 means just the IP written)
4. Click add.
5. Click create to complete.
Azure AD Conditional Access policy
Next step is to create a conditional access policy that blocks all other access for the specific service account than from the defined location.
Access the menu option “Azure AD Conditional Access” in Azure.
Press New Policy, and give the policy a name.
Each of the sections of the dialog will be taken step by step.
Specify the service account under include.
Block access to all cloud apps.
A warning is shown, but remember this policy only targets the service account specified.
Under conditions we need to specify the location created earlier as an exception to this general block all access rules. Note that under include you must specify “any location”
Under access control you need to create the general block rule.
Go to Grant section and choose “Block access”.
Finally set “Enable policy” to On.
And save the new policy.
Applies to: All versions of RTS
Reference: TFS #264640
Knowledge base ID: 0295
Last updated: Feb 08, 2021