Restricting Microsoft Entra and Azure Management Through Safous

This procedure will guide you to configure Microsoft Entra and Safous to limit access to Microsoft Entra Dashboard and Azure Management Service to be only accessible using Safous’ Application Gateway IP Address using Safous Agent.

 

🚧 Caution

Please be aware that this will limit administrative access to Microsoft Entra and Azure Management Service to be only accessible from specific IP addresses. Therefore, a static public IP address is needed for Application Gateway’s outbound access. A change in the IP address of outbound access will cause a loss of access to Microsoft Entra administrative access.

 

Please refer to the list of services that will be impacted after implementing this procedure—the link at the bottom of this article. 

 

Before proceeding with this procedure, please make sure that you have secondary/temporary Global Admin access for backup in case of an operational mistake. A misconfiguration on the Entra portal can cause the admin account to be locked out and unable to revert configuration.

  1. Login to entra.microsoft.com and log in with the Global Administrator account
  2. Create Named Location
    1. Navigate to Protect and Secure -> Conditional Access -> Named locations -> and select add IP Ranges location. 
      kb-entra-restrict-1
    2. Add the location name and list of IP addresses and mark it as a trusted location. If you have multiple App Gateways, add each of App Gateway's outbound IP Addresses here. It is highly recommended to add public IP address other than App Gateway's outbound IP, such as an office public IP address, during the initial setup. This is a method to prevent account lockout.
      kb-entra-restrict-2
    3. To Check Safous Application Gateway public IP address, connect via SSH to the application gateway and run the below command,
      curl ipconfig.io
      (or you can use other IP address tracking service that supports curl such as ipinfo.io)
      kb-entra-restrict-3
  3. Create a new conditional access policy. 
    kb-entra-restrict-4
    1. Fill policy name and select the target user. As we want to limit Administrator access to the portal, add an Administrator for the target user.
      kb-entra-restrict-5
    2. Select the app that will be restricted. In this case, select Microsoft Azure Management
      kb-entra-restrict-6
    3.  Configure condition access and select location as the condition. 
      kb-entra-restrict-7
    4. Add the exclusion of a location in Configure section. Add the previously created trusted location. kb-entra-restrict-8
    5. On the Grant section, select Block. This will block all access to Azure Management Service except the trusted location that has been added to the exclusion list. 
      kb-entra-restrict-9
    6. Select Report-only mode for this policy. This is important to verify that we can access the portal from trusted locations. 
      kb-entra-restrict-14
  4.  Configuring Safous Full Tunnel Network Application 
    1. Please refer to https://support.safous.com/kb/is-it-possible-to-do-full-internet-access-via-safous
  5. Try login to Microsoft Entra from an IP address that was not listed on the trusted location with the user that is added in the conditional access policy.
    1. Navigate to Protect and Secure -> Conditional Access -> Sign-in Logs and check the latest login by clicking on a log entry (there is a 5-minute gap between login and log entry being shown) 
    2. On the Report-only tab, it will result in Report-only: failure if it is accessed from an IP address outside of trusted locations.
      kb-entra-restrict-10
    3. You can also see details of the log by clicking on the 3 dots icon beside the Result column.
      kb-entra-restrict-11
  6. Try to log in to Microsoft Entra after connecting Safous Agent with the user who has full tunnel access. 
    1.  With the same procedure as the previous test, check sign-in logs. 
    2. The log will show Report-only: not applied if the portal is being accessed from a trusted location.
      kb-entra-restrict-12
  7. If the above logs have been shown, enable the restriction policy by changing its mode from Report-only to On (refer to step 3f). This will enforce the policy and block access to Entra and Azure management resources from untrusted locations. 
  8. Accessing from untrusted locations will show the below output.
    kb-entra-restrict-13

Please refer to the below link for documentation on the list of Azure Management Services that will be restricted:

 

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management