Forum Discussion
Cloud app conditional access exceptions
I have a lot of issues with attackers coming from VPN and anonymous IP's. Im trialing a Conditional Access policy to apply Conditional Access App Control.
Ive created a Cloud App, Access Policy to blocks using IP address, Category, equals and listing a few categories like VPN and Risky.
Then another Access policy to block IP address, Tag, equals Tor, Anonymous, Random, Botnet etc.
Testing shows this works. But I've been asked what if we wanted to allow a specific service like NordVPN. How can I achieve this?
2 Replies
Conditional Access App Control works by categorizing IPs (VPN, Anonymous, Botnet, etc.) from threat intelligence.
When you block “VPN” as a category, you block all VPN providers, because NordVPN falls under that same category.
To allow NordVPN specifically, you need to override the blanket block with an exception.Recommendation
- Block all VPN/Anonymous IPs using your CA App Control policy (as you’ve done).
If you must allow NordVPN:
- Collect the specific NordVPN exit IPs that your org wants to allow.
- Create a Named Location in Entra ID for them.
- Exclude that Named Location from your block policy.
Document it well because if NordVPN rotates IPs, you’ll need a process to update the list regularly.Let me know.
Jovan
Makes sense thanks for the reply. I'll test that out and see.
