The company wants to restrict access to Office 365 in the following ways.
Apply these configurations to O365 in a simple fashion. (e.g. from a centralized GUI without having to log into MSFT console)
Acreto solution allows us to secure access to Office365/OneDrive using Microsoft Azure AD.
Acreto will provide the policy configurations to control the following:
To solve the described issue you will need:
Make sure that you have all the required elements before you will start.
As a first step you need to create a secure connection between end-user and acreto - use one of two possible solutions:
No matter which way you choose, after you connect to Acreto your external IP address should be masked with Acreto gateway - this means that any Internet service or website will be not able to see your real IP address. Acreto will mask your IP with an address that you may find in WEDGE panel - go to Allocated IP’s and then find Default Exit position - this is your Secured IP address.
Make this IP address to be the only address that should be allowed to access Office365/OneDrive services in your organization.
If you already secured your internet connection with Acreto it’s time to make a security rule on Microsoft Azure ActiveDirectory.
1.Login to Azure panel as a user with administrator right and click on Azure Active Directory icon:
2. Choose the “Security” option marked on the screen below.
3.Create Named location - named and defined IP address range that will be allowed to access Office365/OneDrive.
To do this click on Named location on side menu (marked as “1”) and then click on + New location (marked as “2”).
4. Fill new location form with readable name and choose options and save:
5.Create a security rule to limit access to Office365/OneDrive
Choose Conditional Acces option from the side menu and click on ** + New policy ** button.
The form of policy creation is advanced and offers many options, in this scenario we will use a minimal amount of options that allow us to get a working configuration.
That’s a minimum required configuration necessary to make a goal of this case.
6. Make sure that Enable policy: On. -
This option is displayed on the bottom right part of the screen and it decided does the whole configuration is on.
If you can’t turn the rule on it’s possible that you need to disable Security Defaults
7. Double-check all rules and click on the save button.
To verify does the created access rules works we do a two-part test:
In both tests, we will use a user account managed by Azure AD. This account is added to the created rule of conditional access.
At the first test, we will check dose it possible to log in to Office365 from an internet connection that is not secured with Acreto.
The login page should return information that the User is not able to log in because does not meet the criteria to access this resource. This means that created security rule work.
In the second test user use Acreto secured internet connection and trying to login to office.com
The login page works in a standard way and allows the user to access his account.
Thanks to Acreto and Azure AD conditional access rules you can create advanced security solutions.