SOLVED

CA policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2709077%22%20slang%3D%22en-US%22%3ECA%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2709077%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20create%20a%20CA%20policy%20that%20forces%20mfa%20for%20access%20to%20azure%20management%20portal%2C%20and%26nbsp%3Balso%20source%20connection%20must%20be%20from%20the%26nbsp%3BUS.%20If%20i%20connect%20from%20outside%20the%20US%20i%20get%20access.%20I%20understand%20why%20its%20because%20i%20didn't%20meet%20all%20of%20the%20requirements.%20How%20can%20i%20allow%20access%2C%20but%20only%20allow%20from%20specific%20ip's%20%3F%3C%2FP%3E%3CP%3EI%20dont%20want%20anyone%20to%20access%20the%20azure%20management%20portal%20from%20outside%20the%20US.%20I%20know%20i%20can%20setup%20a%20block%20rule%2C%20but%20then%20i%20cant%20use%20things%20like%20compliant%20device%20or%20force%20mfa.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2709077%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2709420%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2709420%22%20slang%3D%22en-US%22%3EHello%2C%20you%20can%20do%20this%20with%20two%20CA%20policies%3A%3CBR%20%2F%3E-%20Policy%201%20%3A%20Grant%20Access%20to%20Azure%20Management%20Portal%20from%20US%20IP%20address%20with%20MFA%3CBR%20%2F%3E-%20Policy%202%20%3A%20Block%20Access%20to%20Azure%20Management%20Portal%20outside%20IP%20address%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20IP%20addresses%20you%20can%20use%20either%20%22Countries%20(IP)%22%20or%20%22Trusted%20locations%22%3C%2FLINGO-BODY%3E
Frequent Contributor

I'm trying to create a CA policy that forces mfa for access to azure management portal, and also source connection must be from the US. If i connect from outside the US i get access. I understand why its because i didn't meet all of the requirements. How can i allow access, but only allow from specific ip's ?

I dont want anyone to access the azure management portal from outside the US. I know i can setup a block rule, but then i cant use things like compliant device or force mfa. 

 

1 Reply
best response confirmed by Skipster311-1 (Frequent Contributor)
Solution
Hello, you can do this with two CA policies:
- Policy 1 : Grant Access to Azure Management Portal from US IP address with MFA
- Policy 2 : Block Access to Azure Management Portal outside IP address

For the IP addresses you can use either "Countries (IP)" or "Trusted locations"