Can we restrict Users from accessing Office 365 (on Azure) from certain IP address?

%3CLINGO-SUB%20id%3D%22lingo-sub-1734995%22%20slang%3D%22en-US%22%3ECan%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1734995%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20accessing%20office%20365%20Mailbox%20on%20Azure%20cloud%20from%20AWS%20Virtual%20Private%20cloud%20through%20OAUTH%202.0.%20How%20can%20we%20impose%20restriction%20to%20allow%20Office%20365%20is%20accesible%20from%20only%20IP%20Address%20range%20of%20AWS%20VPC%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1734995%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1735013%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1735013%22%20slang%3D%22en-US%22%3E%3CP%3EI%20meant%20certain%20IP%20addresses%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F816495%22%20target%3D%22_blank%22%3E%40AravindKonda%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1735524%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1735524%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20either%20need%20to%20use%20Conditional%20Access%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-location%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-location%3C%2FA%3E)%20or%20redirect%20the%20auth%20process%20to%20some%20external%20system%20(federation)%20and%20impose%20the%20restrictions%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1738957%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1738957%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil.%20I%20doubt%20we%20have%20premium%20subscription%20to%20utilize%20conditional%20access.%20Can%20you%20share%20more%20details%20on%20option%26nbsp%3B%20%26nbsp%3B%22%3CSPAN%3Eredirect%20the%20auth%20process%20to%20some%20external%20system%20(federation)%20and%20impose%20the%20restrictions%20there%22.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1739889%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739889%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-fed%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-fed%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763228%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20Users%20from%20accessing%20Office%20365%20(on%20Azure)%20from%20certain%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763228%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3BAs%20Office%20365%20is%20accessed%20from%20AWS%20VPC%20cloud%20%2C%20what%20IP%20addresses%20I%20need%20to%20provide%20while%20whitelisting%20IP%20address%20using%20conditional%20access%20of%20Azure%20Active%20Directory.%20I%20have%20with%20me%20details%20of%20AWS%20VPC%20CIDR%20%2C%20but%20CIDR%20range%20is%20private%20Ip%20addresses.%20I%20think%20I%20need%20to%20provide%20public%20IP%20addresses%20in%20AAD%20configuration%20%2C%20so%20what%20IP%20address%20from%20AWS%20I%20should%20be%20looking%20for%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We are accessing office 365 Mailbox on Azure cloud from AWS Virtual Private cloud through OAUTH 2.0. How can we impose restriction to allow Office 365 is accesible from only IP Address range of AWS VPC?

10 Replies
Highlighted
Highlighted

You either need to use Conditional Access (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...) or redirect the auth process to some external system (federation) and impose the restrictions there.

Highlighted

Thanks Vasil. I doubt we have premium subscription to utilize conditional access. Can you share more details on option   "redirect the auth process to some external system (federation) and impose the restrictions there".

Highlighted

Hi Vasil,

   As Office 365 is accessed from AWS VPC cloud , what IP addresses I need to provide while whitelisting IP address using conditional access of Azure Active Directory. I have with me details of AWS VPC CIDR , but CIDR range is private Ip addresses. I think I need to provide public IP addresses in AAD configuration , so what IP address from AWS I should be looking for?

Highlighted

@Vasil Michev  Regarding conditinal access I went through documentation. When using location settings we can specify access requests from particular IP addresses  or countries to be blocked . This is what I found in documentation , is it possible to specify settings other way like to allow requests from only certain IP adddresses , if it comes from any other IP addresses (not specified) requests shuld be blocked.

Highlighted

@Vasil Michev  I appreciate your valuable time in responding to my questions. We do have conditinal access feature. Our Application is registered to run as background service or daemon without a signed-in user. The application is accessed from AWS cloud through Oauth2.0 authentication. Can conditional access be still applied? 

Highlighted

Conditional access doesnt apply to application logins, that's different from "user" access. Depending on the protocol your app is using, you might be able to restrict it via Client Access Rules: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...

 

Highlighted

@Vasil Michev  Thanks Vasil , I too found the same solution. Due to some reason, our team is not ready apply access rules at exchange level. Do we have any other alternative?

Highlighted

Nothing within O365, you can certainly add some restrictions in the app itself though.