Support

Start a conversation

Block external access for O365 Service Accounts using Conditional Access in Azure AD

Summary

Realtime Service requires a service account without MFA, which in principle exposes an angle of attack in an O365 organization. This article describes how you can use Azure Conditional Access to limit the service account login to a single or specified set of IP addresses. Any attempt to log in from elsewhere will result in this error message:

Azure AD Named location

Access the Azure portal, and navigate to Azure AD Named location.

The following dialog uses the new preview as it was at the time of creating this document.

Steps are illustrated in the graphics below, and includes the following:

1. Create a new IP ranges location.

2. Define a name of the location.

3. Add an IP range matching your Resource Central server public IP according to the CIDR notation. (/32 means just the IP written)

4. Click add.

5. Click create to complete.

Azure AD Conditional Access policy

Next step is to create a conditional access policy that blocks all other access for the specific service account than from the defined location.

Access the menu option “Azure AD Conditional Access” in Azure.

Press New Policy, and give the policy a name.

Each of the sections of the dialog will be taken step by step.

Assignments

Specify the service account under include.

Block access to all cloud apps.

A warning is shown, but remember this policy only targets the service account specified.

Under conditions we need to specify the location created earlier as an exception to this general block all access rules. Note that under include you must specify “any location”

Access controls

Under access control you need to create the general block rule.

Go to Grant section and choose “Block access”.

Finally set “Enable policy” to On.

And save the new policy.


Properties

Applies toAll versions of RTS

Reference: TFS #264640

Knowledge base ID: 0295

Last updated: Feb 08, 2021

Choose files or drag and drop files