Office 365 Integrated Apps Add-in Authentication

Copper Contributor

I have deployed an app for my organization through the Office 365 admin center - Integrated Apps, which requires a manifest file, and a website which hosts the app. The Add-in is working correctly and is limited to users from my organization. However, the website that hosts the app, is a public site, and I don't want to give unauthorized users access to that site. Is there a recommendation or documentation on how to prevent unauthorized access to the website, while also keeping that site available for the Office 365 plugin? 

1 Reply
Hello Karen Lala, To restrict access to the website hosting your Office 365 app while allowing access to authorized users, you can implement various authentication and authorization mechanisms. Here are a few recommendations:

1. **Azure AD Authentication:**
- Integrate Azure Active Directory (Azure AD) authentication into your website. This way, only users authenticated through your organization's Azure AD will have access.
- Configure the app registration in Azure AD to allow only users from your organization.

2. **App-Only Authentication:**
- If the website is accessed by the Office 365 app and not directly by users, consider using app-only authentication. In this case, the app itself authenticates with Azure AD rather than the user.
- Configure the app registration to allow app-only authentication and ensure only your app has the necessary credentials.

3. **Conditional Access Policies:**
- Leverage Azure AD Conditional Access policies to control access based on conditions like user location, device compliance, or other criteria.
- You can create a policy that enforces access only from specific IP ranges or locations.

4. **IP Whitelisting:**
- Restrict access to your website based on IP addresses. Allowlist only the IP addresses associated with your organization's network.

Always ensure that your solution aligns with security best practices and complies with your organization's policies. Documentation for Azure AD and Office 365 provides detailed guidance on configuring authentication and access controls. Regularly review and update these settings as needed to maintain the security of your application.

Have a wonderful day Karen Lal!