Microsoft Entra ID’s Conditional Access feature can be used to restrict access to Microsoft 365 applications.
Additionally, Conditional Access can be used to restrict access to any other third-party apps that use Entra as the Identity Provider. For example, if your users log in to Zoom with their Entra credentials, you can restrict access to Zoom using the Conditional Access feature.
Access for apps is evaluated continuously if Continuous Access Evaluation (CAE) is enabled.
License Requirements
Visit this Microsoft resource to learn more about license requirements.
In order to use the Microsoft Conditional Access feature, you must have one of the following:
- Microsoft Entra ID P1 (included with Microsoft 365 Business Premium or M365 E3 licenses)
- Microsoft Entra ID P2 (included with M365 E5 licenses)
Microsoft Entra ID Free does not include Conditional Access. Find out what Microsoft business product or licenses you have.
Microsoft Resources
- What is Conditional Access in Microsoft Entra ID?
- Conditional Access - Block access by location
- Building a Conditional Access policy
- Analyze Conditional Access policy impact
Approach
- Create an IP ranges location in Entra for your PCG IP addresses (instructions here).
- Create a Conditional Access policy in Entra that blocks Venn users from accessing the apps you want to restrict unless they are connecting from a PCG IP address (instructions here).
- Select the users or group you want the policy to apply to.
- Select the cloud apps you want to restrict access to.
- Create a condition that excludes the location you defined in step 1.
- Set the policy to block access by default.
- Set the policy to “Report-only.”
- Once you have created the policy, check to make sure it works as intended before changing the policy to “On” (instructions here).
Warnings
- Exclude key admin tools like Microsoft Admin Portals and Apple Business Manager from the cloud apps that the policy is assigned to in order to avoid locking out administrators.
- If Entra is your Venn IdP, exclude Workplace_Workplace_US_<your company name> from the Target resources that the policy is assigned to in order to avoid blocking users from being able to log in to Venn’s Workplace app.
- If you are not using Venn’s MDM solution, you should only apply this restriction to devices that users will be using Venn on (Windows and/or Mac), not iOS or Android devices. You can include this condition under Conditions > Device platforms in the policy.
- Keep in mind that there may be use cases and exceptions that you are not aware of or there may be individuals at your organization who were not fully onboarded to Venn.
- Always enable the restrictions in “report-only” mode to test the restriction before blocking access.
- Always notify users before enabling restrictions in order to avoid disruption of business. Leverage the Access Lockdown email template in the Venn Rollout Toolkit to inform your users.
Tips
- If Entra is set up as your Venn IdP, consider assigning the policy to the same user group that you use to assign access to Venn’s Workplace app.
- Conditional Access can be used to restrict access to any third-party SAML apps that use Entra as the Identity Provider. Consider setting up Entra SSO for key business applications so that you can improve ease of access for your users and restrict access outside of Venn’s Blue Border (instructions here).
- Continuous Access Evaluation (CAE) in Entra ID enables near real-time enforcement of Conditional Access policies by reacting instantly to critical events like user revocation, password changes, or location risk changes. Check to confirm that this is turned on (instructions here).