Restricting Microsoft Office365 Dashboard Access Through Safous

This procedure will guide you to configure Microsoft Entra and Safous to limit access to Microsoft Office365 Dashboard and services to be only accessible using Safous’ Application Gateway IP Address using Safous Agent.

Please refer to the list of services that will be impacted after implementing this procedure—the link at the bottom of this article. 

  1. Login to entra.microsoft.com and log in with the Global Administrator account
  2. Create Named Location 
    1. Navigate to Protect and Secure -> Conditional Access -> Named locations -> and select add IP Ranges locationkb-entra-restrict-1
    2. Add the location name and list of IP addresses and mark it as a trusted location. If you have multiple App Gateways, add each of App Gateway's outbound IP Addresses here.kb-entra-restrict-2
    3. To Check Safous Application Gateway public IP address, connect via SSH to the application gateway and run the below command,
      curl ipconfig.io
      (or you can use other IP address tracking service that supports curl such as ipinfo.io)kb-entra-restrict-3
  3. Create a new conditional access policykb-entra-restrict-4
    1. Fill policy name and select the target user.kb-entra-restrict-5
    2. Select the app that will be restricted. In this case, select Office36520230728_155611000000
    3. Configure condition access and select location as the conditionkb-entra-restrict-7
    4. Add the exclusion of a location in Configure section. Add the previously created trusted location
      kb-entra-restrict-8
    5. On the Grant section, select Block. This will block all access to Office365 Service except the trusted location that has been added to the exclusion listkb-entra-restrict-9
    6. Set Enable Policy to on to enforce this policy. If you want to apply this policy without enforcing it, select Report-only.
      20230728_155619000000
  4. Configuring Safous Full Tunnel Network Application
    1. Please refer to https://support.safous.com/kb/is-it-possible-to-do-full-internet-access-via-safous 
  5. Try login to Office365. Accessing from untrusted locations will show the below output.20230728_155927000000
  6. Access should go through once device is connected to Full Tunnel Network Application

Please refer to the below link for documentation on the list of Office365 services that will be restricted:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365