question

Nicolasvde-3263 avatar image
0 Votes"
Nicolasvde-3263 asked ChaitanyaNaykodiMSFT-9638 commented

Azure VPN gateway + conditional access to grant access to OneDrive/SharePoint, Teams, O365 Portal

Hello,

We are using conditional access to limit access to Office 365 only from the public IP addresses from our office.
By office 365, I mean Exchange Online, OneDrive / SharePoint, Teams.

With a trusted location based on the public IP address of our office it works very well.

I know this is not recommended by Microsoft, we would like to set up a VPN that allows users to still connect when they are at home or traveling.

We tested this with a provider like Nord VPN and a dedicated server with a fixed public IP.
It also works well.

But we would like to stay in the Microsoft universe.

So, we set up an Azure gateway to do P2S connection.
With this, when we are connected to the VPN, our public IP does not change, and the conditional access based on public IP does not work.

Either:
- what we want to do can't work with Azure VPN
- can you tell me how to configure the gateway so that the public IP of the client who connects to the Azure VPN changes so that we can base our access on it?
- can you give me another way to configure the conditional access not based on the IP but on the fact that the vpn client is connected?


Thanks in advance

azure-vpn-gatewayoffice-onedrive-client-itpromem-intune-conditional-access
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChaitanyaNaykodiMSFT-9638 avatar image ChaitanyaNaykodiMSFT-9638 ·

Hello @Nicolasvde-3263, welcome to the Microsoft Q&A forum.
You can set-up Conditional access on Azure VPN as a Multi-Factor Authentication (MFA), so the user is verified at VPN itself and there won't be any need to use conditional access on your Office 365 resources. You can follow this documentation for additional details on implementation.
Please let me know If this is not a viable solution for you. It will also help if you could elaborate more on your set-up and how the users flow is when they connect to Azure VPN. Thank you!



0 Votes 0 ·
Nicolasvde-3263 avatar image Nicolasvde-3263 ChaitanyaNaykodiMSFT-9638 ·

Hello,
Thank you for your answer.
Following your example, the user will have to use MFA to connect to Azure VPN.
That's fine, but setting up MFA on Azure VPN client does not block access to our O365 resources if Azure VPN client is not connected.
Or maybe I didn't understand correctly?
Thank you.



0 Votes 0 ·
ChaitanyaNaykodiMSFT-9638 avatar image ChaitanyaNaykodiMSFT-9638 Nicolasvde-3263 ·

Hello @Nicolasvde-3263, your understanding is correct my solution above will not block access to your O365 resources unless they are connected via VPN.
This scenario will not work only with P2S VPN as it does not support NAT.
I spoke with my colleagues regarding this issue, and they suggested me another approach here. If you can set the conditional access to use your organization's local intranet using trusted IP's instead of the trusted location based on the public IP address. In this case when the users login through your organization local intranet they can skip the MFA but when users login via VPN they will have to perform MFA in order to gain access.
Note : The trusted IPs can include private IP ranges only when you use MFA Server. You cannot use cloud-based Azure AD Multi-Factor Authentication with Private IP addresses.
Hope this helps! Please let me know if you have any questions. Thank you!



0 Votes 0 ·

0 Answers