Restrict access to an App Registration / Enterprise App to be from just a single IP or server

%3CLINGO-SUB%20id%3D%22lingo-sub-1957369%22%20slang%3D%22en-US%22%3ERestrict%20access%20to%20an%20App%20Registration%20%2F%20Enterprise%20App%20to%20be%20from%20just%20a%20single%20IP%20or%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1957369%22%20slang%3D%22en-US%22%3E%3CP%3Eas%20per%20the%20question%20title%20-%20I%20would%20like%20to%20be%20able%20to%20restrict%20access%20to%20an%20AAD%20App%20registration%20%2F%20Enterprise%20App%20so%20that%20just%20a%20single%20server%20or%20IP%20can%20authenticate%20and%20use%20the%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20App%20registration%20is%20currently%20set%20up%20to%20use%20a%20client%20secret%20for%20access%20which%20is%20called%20via%26nbsp%3B%20python.%20I%20have%20tried%20setting%20up%20conditional%20access%20policy%20to%20restrict%20to%20a%20named%20location%20that%20contained%20the%20single%20IP%20address%20but%20discovered%20that%20CA%20IP%20restrictions%20only%20apply%20to%20user%20authentication%20and%20not%20to%20programmatic%20using%20secrets.%3C%2FP%3E%3CP%3EThis%20is%20something%20that%20is%20being%20developed%20so%20we%20can%20be%20adaptable%20and%20reconfigure%20things%20is%20required%20but%20Im%20struggling%20to%20find%20a%20way%20to%20restrict%20things%20in%20this%20way%20to%20be%20restricted%20to%20a%20single%20server.%20The%20server%20is%20currently%20on%20premises%20but%20we%20are%20migrating%20everything%20into%20Azure%20anyway%2C%20so%20if%20there%20is%20a%20solution%20that%20requires%20the%20server%20to%20be%20in%20Azure%20%2C%20such%20as%20creating%20and%20using%20an%20endpoint%20for%20example%2C%20that%20might%20work%20also.%3C%2FP%3E%3CP%3EI%20was%20also%20trying%20to%20look%20into%20the%20possibility%20of%20using%20a%20certificate%20instead%20but%20wanted%20to%20see%20if%20an%26nbsp%3B%20issued%20certificate%20could%20be%20configured%20to%20only%20work%20from%20a%20single%20IP%20or%20MAC%20address%20for%20added%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20someone%20will%20have%20so%20ideas%20that%20can%20help%20me%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20suggestions%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1957369%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApps%20on%20Azure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1959126%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20access%20to%20an%20App%20Registration%20%2F%20Enterprise%20App%20to%20be%20from%20just%20a%20single%20IP%20or%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1959126%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20not%20available%20yet%2C%20CAs%20currently%20do%20not%20apply%20to%20app%20logins.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1967619%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20access%20to%20an%20App%20Registration%20%2F%20Enterprise%20App%20to%20be%20from%20just%20a%20single%20IP%20or%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1967619%22%20slang%3D%22en-US%22%3EWhat%20we%20currently%20do%20is%20forward%20the%20SP%20logins%20to%20Sentinel%20and%20throw%20an%20alert%20when%20a%20service%20principal%20logs%20in%20somewhere%20else%3C%2FLINGO-BODY%3E
Contributor

as per the question title - I would like to be able to restrict access to an AAD App registration / Enterprise App so that just a single server or IP can authenticate and use the app.

 

The App registration is currently set up to use a client secret for access which is called via  python. I have tried setting up conditional access policy to restrict to a named location that contained the single IP address but discovered that CA IP restrictions only apply to user authentication and not to programmatic using secrets.

This is something that is being developed so we can be adaptable and reconfigure things is required but Im struggling to find a way to restrict things in this way to be restricted to a single server. The server is currently on premises but we are migrating everything into Azure anyway, so if there is a solution that requires the server to be in Azure , such as creating and using an endpoint for example, that might work also.

I was also trying to look into the possibility of using a certificate instead but wanted to see if an  issued certificate could be configured to only work from a single IP or MAC address for added security.

 

Hopefully someone will have so ideas that can help me with this.

 

Thanks for any suggestions

4 Replies

This is not available yet, CAs currently do not apply to app logins.

What we currently do is forward the SP logins to Sentinel and throw an alert when a service principal logs in somewhere else

@Thijs Lecomte  thanks for the suggestion. We currently do not have sentinel in place but there is an ongoing project planned to set it up so we can look at that then.

@Vasil Michev Hello, it has been a few months since AppRed restriction by IP has been asked, is this available yet?   If not, is it on a roadmap?  Is there any other way to restrict by IP other than CA?