TABLE OF CONTENTS
Summary
We are steadfast in our commitment to uphold the highest security standards within our Security Service.
It is our top priority to ensure that your data remains protected at all the time.
To achieve this, we have integrated multi-layered security measures into our product.
This includes, but is not limited to, restricted access to login credentials as well as the reporting environment, ensuring that only authorized personnel can access sensitive information.
In our continuous efforts to fortify security, we recommend that you also limit access for our service users on your end to the necessary minimum.
By doing so, we can collaboratively enhance the overall security and safeguard your operations against any potential threats.
To implement the limitation, we recommend restricting the Application (experience4you-M365Benchmark-app) and the service user (experience4you-M365Benchmark) to our outbreak IP 4.185.138.213.
This ensures that access is only possible from our secured ESB environment.
Prerequisites
Required Permissions
To create Conditional Access policies you must have one of the following Permissions in Microsoft Entra:
- Global administrator
- Security Administrator
- Conditional Access administrator
ESB environment Outbreak IP
The experience4you ESB environment outbreak IP is: 4.185.138.213
Add Named Location
Add Named Location using PowerShell
Required Module: AzureAD
Add Named Location using GUI
Conditional Access - Microsoft Azure
Create Conditional Access Policies
Creating the conditional Access Policy using PowerShell is possible but complicated, therefor only the "GUI way" is described below.
Conditional Access - Microsoft Azure
Restrict Service-User login to ESB environment
This chapter describes how to restrict the Service-User Account to be used only from the ESB environment.
Recommended Policy Name: ESB-Service-User-restriction
Include the Service User
We strongly recommend excluding the Break-Glass Users from ALL conditional Access Policies, especially if they block access, regardless of whether they are affected!
Target all cloud apps
Include any location and exclude the ESB IP configured above:
Block access -> All access that is not excluded will be blocked
Enable the policy to take effect
Please ensure the policy is created correctly to not lock yourself out!
Conclusion:
Block Access in combination with the settings above means:
If the Service-User "experience4you-M365Benchmark" logs in to any cloud app, access is blocked if the user does not come from the policy excluded IP.
Restrict App-Usage to ESB environment
This chapter describes how to restrict the Application Account to be used only from the ESB environment (no matter what user tries to use it).
Recommended Policy Name: ESB-App-restriction
The policy assignes to all users
We strongly recommend excluding the Break-Glass Users from ALL conditional Access Policies, especially if they block access, regardless of whether they are affected!
The policy targets the experience4you-M365Benchmark-app
Include any location and exclude the ESB IP configured above:
Block access -> All access that is not excluded will be blocked
Enable the policy to take effect
Please ensure the policy is created correctly to not lock yourself out!
Conclusion:
Block Access in combination with the settings above means:
If the any user tries to access the experience4you-M365Benchmark-app App, access is blocked if the user does not come from the policy excluded IP.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article