Restrict access with trusted IP rules

Applies to Dynamics 365 for Customer Engagement apps version 9.x

You can limit access to Customer Engagement apps to users with trusted IP addresses to reduce unauthorized access. When trusted IP address restrictions are set in a user’s profile and the user tries to log in from an untrusted IP address, access to Customer Engagement apps is blocked.

Requirements

  • A subscription to Azure Active Directory Premium.

  • A federated or managed Azure Active Directory tenant.

  • Federated tenants require that multi-factor authentication (MFA) be enabled.

Additional security considerations

IP restriction is only enforced during user authentication. This is done by the Azure Active Directory Conditional Access capability. Customer Engagement apps sets a session timeout limit to balance protecting user data and the number of times users are prompted for their sign-in credentials. Trusted IP restriction for devices (including laptops) is not applied until the Customer Engagement apps session timeout expires.

For example, a trusted IP restriction is setup to only allow access to Customer Engagement apps when users are working from a corporate office. When a Customer Engagement apps user signs in into Customer Engagement apps using their laptop from their office and establishes a Customer Engagement apps session, the user can continue to access Customer Engagement apps after leaving the office until the Customer Engagement apps session timeout expires. This behavior also applies to mobile and offsite connections such as: Dynamics 365 for Customer Engagement apps for phones and tablets, and Dynamics 365 App for Outlook.

Create security group (optional)

You can restrict access to all Users or groups of users. It's more efficient to restrict by a group if only a subset of your Azure Active Directory (AAD) users are accessing Customer Engagement apps.

  1. Sign in to your Azure portal.

  2. Click Browse > Active Directory, and then select your Customer Engagement apps directory.

  3. Click Groups > Add Group, and then fill in the settings to create a new group.

    Create a security group

  4. Click the group you created and add members.

    Add members to a restricted group

Create a location based access rule

Access restriction is set using Azure Active Directory (AD) Conditional Access. See Getting started with conditional access to Azure AD. You control Conditional Access through an access rule.

Note

Setting Conditional Access is only available with an Azure Active Directory Premium license. Upgrade your Azure AD to a Premium license in the Office 365 admin center (https://portal.office.com > Billing > Purchase services).

  1. Sign in to your Azure portal.

  2. Click Browse > Active Directory, and then select your Customer Engagement apps directory.

  3. Click Applications, and then click the Dynamics 365 Online web application.

    Select the Dynamics 365 for Customer Engagement apps (online) web app

  4. Click Configure.

    Configure Active Directory properties for Dynamics 365 for Customer Engagement apps (online) instance

  5. Set the following on the Properties page:

    1. Set Enable Access Rule to On.

    2. Optional: Set Apply to to Groups.

    3. Optional: Click Add Group to select a group.

    4. Set Rules to Block access when not at work.

      Set rule to Block access when not at work

    5. Click Save > OK.

    6. Click Click here to define/edit your work network location.

      Define or edit you work network location

  6. Enter trusted IP addresses (using CIDR notation).

    Enter trusted IP addresses

  7. Click Save.

See also

How to set Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected applications