Conditional Access is a Microsoft Entra capability that is included with a Microsoft Entra ID P1 or P2 license. Through Microsoft Entra ID, Conditional Access brings signals together to make decisions, and enforce organizational policies. One of these signals is location defined through IP addresses.
Your Venn configuration includes multiple Private Company (PCG) IP addresses that are dedicated to your company and guarantees that all business traffic initiated in Venn Secure Enclave hits the Internet through one of these IP addresses. Services like Office 365’s Conditional Access can use these IP addresses to apply policy restrictions (e.g. block access from outside Venn).
To avoid any unintended issues, please use these best practices:
- The most important rule to follow while creating these policies is to make sure administrators are not locked out of the Office 365 administration consoles. You should have separate groups and rules that control administrators’ access to resources. The conditional access policies do not have a priority order and when multiple policies are applicable, then the most restrictive rule (block access) wins.
- When you create any new policy, choose the ‘Enable policy: Report Only’ option. This will log the access conditions and intended decision (allow or deny) without blocking a user. After the sign-in logs confirm that your rules are correct, you can change the policy to be ‘On’.
- Exclude Apple Business Manager from the conditional access policies
- If you are using Entra as your IDP, you need to exclude Venn's app from the policy. The app name will be in the format Workplace_Workplace_US_<your companyname >.
- By default CAE (Continuous Access Evaluation) should already be enabled in your tenant. If it's not, we strongly recommend that you turn this on.
Getting Started
To get started:
- Log into the Office 365 Admin console as a global administrator.
- Navigate to Microsoft Entra Admin Center > Protection > Conditional Access.
Define PCG locations
- Under Conditional Access add a new IP ranges location.
- Define a unique name for the policy (e.g. Venn PCG). Do not check the ‘trust’ option (it’s not needed for this setup).
- Add your company's PCG IP addresses (they will look similar to what’s on the below screenshot).
- Click Create.
Conditional Access Policy for Administrators
- Move up one level to the root of Conditional Access and click on Create new policy.
- Define the criteria as shown below. The actual criteria in this policy will depend on your specific case, but this is what we recommend:
Name: Administrative access (keep it on the top)
Users: We suggest that you create a group in Office 365 and use that to identify the admins.
Target resources: The policy should apply to ‘Cloud apps’, and the selected applications should include at least ‘Microsoft Admin Portals’. See the below screenshot. If you want to make sure administrators are always allowed to access additional resources, please select those as well.
Conditions: These depend on your specific case, but one suggestion is using locations (e.g. physical office IP addresses in addition to the PCG IP addresses) for additional security.
Access control: Grant access and select ‘Require multifactor authentication’.
Enable policy: Leave it in ‘Report only’ mode until you test and confirm it.
- Save the new policy.
Conditional Access Policy for Venn Users
To create the conditional access policy for users, which will deny access to select Office 365 resources for a group of users unless they are coming from the Venn PCG IP addresses:
- At the root of Conditional Access and click on Create new policy.
- Define the criteria as shown below.
Name: Venn PCG
Users: We suggest that you create a group in Office 365 and use that to identify Venn users. When Azure/Entra AD is the identity provider for Venn logins, the same group can be used to assign the Venn (Workplace) enterprise application to these users. Please make sure the administrators are not members of this group.
Target resources: Choose ‘Cloud apps’, and then select all appropriate apps from the list. You should exclude at least ‘Microsoft Admin Portals’ and the ‘Workplace_Workplace_US_companyname’ application to avoid blocking them.
Conditions: Configure the ‘Locations’ condition to exclude the location you defined earlier (Venn PCG). See the below screenshots. You may add more conditions: for example, if you want to apply the restriction on Windows/Mac, but not IOS/Android, you can make that selection under ‘Device platforms’.
Access control: Change this to ‘Block’
Enable policy: Leave it in ‘Report only’ mode until you test and confirm it.
- Save the new policy.
Now test the policies and use the audit logs (Conditional access/Monitoring/Sign-in logs) to verify that the rules work as expected. You can click on each entry, open the details and review the ‘Report only’ tab to see what “would happen if the policies were active”. If everything looks good, change both policies from ‘Report only’ to ‘On’ to make them effective.
Additional Considerations
Conditional access rules only control the authentication, so once a security token is granted, Microsoft Outlook may be able to access your mailbox even if the conditions (e.g. location of the device) change. Therefore, it is also highly recommended to keep the lifecycle of the security token reasonably short and to apply an extra client access rule for Exchange Online that will be constantly evaluated as Outlook is looking for changes in the mailbox.
The Exchange Online client access rules you configure should look like the example below. You will need to make sure that administrators can still use Remote PowerShell from the PCG IP addresses and/or company offices (you need to adjust the list to your addresses). Users subject to restrictions will need a common marker like a CustomAttribute to scope the restrictions. You can also differentiate based on protocols. Client access rules have a priority order, so please make sure those granting access for administrators have the highest priority (lowest number in the -priority parameter).
$IPs = "66.22.188.0,66.22.188.1,66.22.190.0,66.22.190.1"
New-ClientAccessRule -Name "Ensure PowerShell Is always available from Trusted IPs" -Action
Allow -AnyOfProtocols RemotePowerShell -AnyOfClientIPAddressesOrRanges $IPs
-Priority 1 -Confirm:$false
New-ClientAccessRule -Name "Limit PowerShell to Only Trusted IPs" -Action Deny
-AnyOfProtocols RemotePowerShell -ExceptAnyOfClientIPAddressesOrRanges $IPs
-Priority 2 -Confirm:$false
New-ClientAccessRule -Name "Restrict Exchange to Venn Private Company Gateway IPs"
-Action Deny -Scope Users -ExceptAnyOfClientIPAddressesOrRanges $IPs
-UserRecipientFilter {CustomAttribute1 -ne 'PrivateCompanyGateway'}
-Priority 3 -Confirm:$false
New-ClientAccessRule -Name "Allow ActiveSync" -Action Allow -AnyOfProtocols
ExchangeActiveSync -Priority 3 -Confirm:$false
New-ClientAccessRule -Name "Restrict Exchange to Trusted IPs" -Action Deny
-AnyOfProtocols ExchangeAdminCenter,ExchangeWebServices,IMAP4,OfflineAddressBook,
OutlookAnywhere,OutlookWebApp,POP3,PowerShellWebServices,RemotePowerShell,REST
-ExceptAnyOfClientIPAddressesOrRanges $IPs -Priority 4 -Confirm:$false
Microsoft has been testing a newer logic called Continuous Access Evaluation that allows a single logic to control the initial authentication and ongoing review of the data streams.