In this post I will cover the topic on how to restrict the access to Azure Portal from external network using Conditional Access Policy. When we say restricting the access from external network – means we are talking about location / IP address range. If organization is having Active Directory installed, they already have Active Directory sites and services with all AD sites specified. These AD Sites (can be called location) will be having list of IP subnets defined for each. Based upon our requirement we can add create the Named Locations through Conditional Access settings and can specify the IP address subnets and can mark them as trusted location.
How to block access to Azure Portal from outside Location / IP address
We will have to do couple of settings which is related to Conditional Access. Before that we need to understand what IP addresses and locations we wanted to allow. Let’s pick an example, we have Australia under Active Directory Sites and Services on you on-premises Domain Controller.
The screenshot below shows AD Site name as AUS including 3 subnets:
We are now going to create named location with name Australia while adding above mentioned 3 IP subnets under it.
Login to Azure Portal and navigate to Azure AD Conditional Access. Click on Named locations. Alternatively this can also be accessed through Microsoft Endpoint Manager Admin Center > Home > Devices > Conditional Access.
Under Named locations, we have multiple options:
- Countries location
- IP ranges location
- Configuration MFA trusted Ips
Click on IP ranges location to open New location (IP ranges) blade and provide name as Australia, click on Plus (+) icon to enter a new IPv4 or IPv6 range. You should be using CIDR notation format. You may use following link to check which IP address range will be covered under CIDR
Provide 220.127.116.11/24 and click on Add.
Note: You can add single IP address by using /32 as subnet mask. For example: 192.168.1.50/32, one single IP address will be added nothing less nothing more.
Repeat the process again to add all IP addresses. Once done, check the box Mark as trusted location and click on Create.
We are done with creating the Named location with the name Australia having all IP ranges specified.
Create Conditional Access policy to restrict access from external location
The purpose of this Conditional Access policy is to block access to Microsoft Azure Management for all locations and to exclude all All trusted locations which we created earlier.
Under Conditional Access, click on Policies > New policy and select Create new policy.
Provide the name as “Restrict access to Azure portal external network”. Under Assignments, click on Include to specify All users.
Click on Exclude and specify atleast one user or group so as you are not lock down yourself.
Click on Cloud apps or actions, select apps and specify Microsoft Azure Management out of list of all other cloud apps. While selecting Microsoft Azure Management, we are including multiple services such as:
- Azure portal
- Azure Resource Manager provider
- Classic deployment model APIs
- Azure PowerShell
- Azure CLI
- Visual Studio subscriptions administrator portal
- Azure DevOps
- Azure Data Factory portal
Click on Conditions, under Device platforms configure it as Yes and select Any device which will include all device platforms such as Android, iOS, Windows Phone, Windows, macOS.
Under Locations, include “Any location” as we are interested to block the access for all location.
However, we wanted to allow the access from trusted location hence click on Exclude and select All trusted locations.
Under Access controls, click on Grant and select Block access.
Verify the all the information we have specified, under Enable policy click on On as by default Report-only is selected which is actually a very good option to go first where Conditional Access policy will not apply but will generate a report to see whether this policy would have been applied with Success or failure if it was enabled.
As I am good and confident about the settings I have made, and also I have excluded one specific user (which is my break glass account) for which policy will not apply.
This will also give you option with message “Don’t lock yourself out” and to Exclude current user from this policy. Going with this option can also exclude current user for applying this Conditional Access policy. I will be proceeding with 2nd option as I have 1 account already added. Click on Create.
Check the link for more information on Verify Conditional access policies using report only mode
Verify the CA Policy
Verify the Conditional Access policy to see, login to Azure portal with any IP address which we haven’t specified in named location. When trying to login, we see following error:
You cannot access this right now
Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your domain.
And in this case location restriction is the which is preventing us to login to Azure Portal.
For troubleshooting Conditional Access issues to see whether policies are applying or not, navigate to Conditional Access > Monitoring > Sign-in logs