How do I restrict access to Office 365 to users that are using Cloud SWG?
Can I require users to go through Cloud SWG in order to get to Office 365?
Dedicated IP address feature enabled.
Office 365 (O365) with Conditional Access enabled.
Follow these steps to restrict access to O365 from Cloud SWG dedicated IP addresses.
1. Add the three highlighted O365 login domains to the dedicated IP address configuration using the Cloud SWG Portal, as shown below:
2. Click the “Download Dedicated IP Addresses” link highlighted above and note the IP addresses defined in the JSON file.
Please find an example of the file format below which includes custom IP addresses assigned exclusively to your tenant. Your IP addresses will be different from those in the example.
3. From the Azure Portal, define a conditional access policy that will only allow access from the Cloud SWG dedicated IP addresses above.
1. Microsoft documentation on restricting access to O365 based on egress IP addresses: https://learn.microsoft.com/en-us/power-platform/admin/restrict-access-online-trusted-ip-rules
2. Sample error messages returned when O365 access is blocked by a conditional policy: https://www.core.co.uk/blog/blog/restricting-access-office-365 - error messages!
3. Documentation on the O365 login URLs: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions