Skip to main content

How to restrict access to Microsoft 365 with Safous

This procedure guides you to configure Microsoft Entra and Safous so Microsoft 365 access is allowed only from Safous Application Gateway outbound IP addresses by using Safous Agent.

warning

Please be aware that this will limit users' access to M365 Services to be only accessible from specific IP addresses. Therefore, a static public IP address is needed for Application Gateway’s outbound access. A change in the IP address of outbound access will prevent users from accessing M365 services.

Please refer to the list of services that will be impacted after implementing this procedure—the link is at the bottom of this article.

For network application scope, do not use a full-route (full internet tunnel) configuration. Instead, add only the required Microsoft 365 destination URLs/IP ranges and required ports.

Prerequisites​

Before continuing the steps in this article, please ensure that your organization already have:

  • Microsoft product licenses:

    • At least Entra ID P1 license or Microsoft 365 Business Premium license to configure conditional access.

  • Account in Microsoft Entra ID with these roles:

    • Global Admin role to configure the settings mentioned in this article.

Create Conditional Access Policy in Entra ID​

  1. Login to entra.microsoft.com and log in with the Global Administrator account

  2. Create Named Location 

    1. Navigate to Protect and Secure > Conditional Access > Named locations > and select add IP Ranges location

    2. Add the location name and list of IP addresses and mark it as a trusted location. If you have multiple App Gateways, add each of App Gateway's outbound IP Addresses here.

      kb-entra-restrict-2

    3. To Check Safous Application Gateway public IP address, connect via SSH to the application gateway and run the command below,

      **curl ipconfig.io**

      (or you can use other IP address tracking service that supports curl such as ipconfig.io, ifconfig.me, etc.)kb-entra-restrict-3

  3. Create a new conditional access policy

    kb-entra-restrict-4

    1. Fill policy name and select the target users.

      kb-entra-restrict-5

    2. Select the app that will be restricted. In this case, select Office365.

      20230728_155611000000

    3. Configure access condition and select location as the condition.

      kb-entra-restrict-7

    4. Add the exclusion of a location in Configure section. Add the previously created trusted location.
      kb-entra-restrict-8

    5. On the Grant section, select Block. This will block all access to Office365 Service except the trusted location that has been added to the exclusion list.

      kb-entra-restrict-9

    6. Set Enable Policy to On to enforce this policy. If you want to apply this policy without enforcing it, select Report-only.
      20230728_155619000000

Testing Access​

  1. In Safous, create or update Network application entries using only the required Microsoft 365 destinations from the Microsoft endpoint list (URLs/IP ranges) and required ports. Do not configure full-route entries.

    Microsoft endpoint references:

  2. Try login to Office365. Accessing from untrusted locations (without Safous Agent) will show the below output.

    20230728_155927000000

  3. Access should go through once the device is connected to Safous Agent and traffic to required Microsoft 365 endpoints is routed via the configured Safous Network application.

info

Please refer to the below link for documentation on the list of Office365 services that will be restricted:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365

Last updated on