permission issue

Sree 1,971 Reputation points
2021-09-09T18:03:48.577+00:00

Conditional access issue

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,901 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,357 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-09-10T17:01:05.737+00:00

    Hi @JustinMicheal-7973 • Thank you for reaching out.

    If I understood your requirement correctly, you want to allow a specific set of users to be able to access Azure Portal only from a particular IP Address. Correct me if I am wrong.

    If my understanding is correct, you don't need to create 2 Policies for this purpose. You can configure the policy settings as mentioned below:

    1. Create a Named Location under Azure Active Directory > Security > Conditional Access > Named locations, e.g. Location1. For specific IP Address (not a subnet) use /32 CIDR.
    2. Create a conditional access policy with below conditions:
      a) Under Users and Groups > Add required users/groups.
      b) Under Cloud apps or actions > Add Microsoft Azure Management
      c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
      d) Under Access Control section > Grant > Block Access
      e) Enable Policy > On > Create.

    This policy will restrict given set of users from accessing Azure Portal from anywhere except Location1 which represents the IP address to be allowed.

    When you create 2 policies, where Policy1 allows access and Policy 2 blocks access, both policies will be evaluated and the most restrictive one takes precedence. Which means access will be blocked in that case.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-09-14T19:17:25.017+00:00

    Hi @JustinMicheal-7973 • I did test the scenario in my lab. As you correctly mentioned, we do require 2 policies to block these users from accessing other apps. Could you please confirm if you have configured the 2 policies as mentioned below:

    Policy1:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Add Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
    d) Under Access Control section > Grant > Block Access

    Policy2:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Include All Cloud Apps and Exclude Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location or leave it as Not configured.
    d) Under Access Control section > Grant > Block Access

    If this is how you have configured the policies and still facing the issue, kindly share the correlation ID and timestamp (with time zone) from the sign-in activity when the policy with exception gets applied and users' access is blocked.