Restrict access to Office 365 using Conditional Access and Cloud SWG Dedicated IPs.
search cancel

Restrict access to Office 365 using Conditional Access and Cloud SWG Dedicated IPs.

book

Article ID: 257118

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

How do I restrict access to Office 365 to users that are using Cloud SWG? 

Can I require users to go through Cloud SWG in order to get to Office 365?

Environment

Dedicated IP address feature enabled.

Office 365 (O365) with Conditional Access enabled. 

Resolution

Follow these steps to restrict access to O365 from Cloud SWG dedicated IP addresses.

1. Add the three highlighted O365 login domains to the dedicated IP address configuration using the Cloud SWG Portal, as shown below:

  • login.microsoftonline.com
  • login.windows.net
  • login.microsoft.com

 

2. Click the “Download Dedicated IP Addresses” link highlighted above and note the IP addresses defined in the JSON file.

Please find an example of the file format below which includes custom IP addresses assigned exclusively to your tenant. Your IP addresses will be different from those in the example. 

{"addresses":[{"site":"ggblo","deiAddresses":["149.164.8.20","149.164.8.21"]},{"site":"ginmu","deiAddresses":["134.93.63.20","134.93.63.21"]},{"site":"gusdm","deiAddresses":["198.58.240.20","198.58.240.21"]}]}

 

3. From the Azure Portal, define a conditional access policy that will only allow access from the Cloud SWG dedicated IP addresses above.

  • From the Azure Active Directory -> Security -> Named Location
    • Add a new IP address location with the Cloud SWG IP addresses unique to your tenant as shown below
    • Make sure that the 'Mark as trusted location' flag is enabled

 

  • From the Azure Active Directory -> Security -> Conditional Access configuration
    • Create a new conditional access policy with the following settings to block access from all locations except for the ones we need

     

  •   Add any O365 Application so that the required recondition is triggered

  •   Under the conditions tab, include ALL locations with the exception of the Cloud SWG IP address named location defined in the initial step above

  •  Under the grant tab, BLOCK access for all locations (except Cloud SWG trusted locations)
  • Save all changes

Additional Information

Additional information:

1. Microsoft documentation on restricting access to O365 based on egress IP addresses: https://learn.microsoft.com/en-us/power-platform/admin/restrict-access-online-trusted-ip-rules
2. Sample error messages returned when O365 access is blocked by a conditional policy:  https://www.core.co.uk/blog/blog/restricting-access-office-365 - error messages!
3. Documentation on the O365 login URLs: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

Powered by Wolken Software