Microsoft Graph: Restrict Access Using Conditional Access Policy

In this post we will be going through setting up a conditional access policy to allow connection’s to a Microsoft App Registration that will be used for calling Microsoft GraphAPI from only certain countries / public IP’s.

Microsoft has a preview feature in Conditional Access for workload identities. A workload identity is an identity which allows an application or service principal access to resources.

When an App Registration is created, it will create a service principal. This service principal is what we will use in the conditional access policy.

First we need to create the named location to define where we want to allow the access from.

To create a named location go to endpoint management admin page.

https://endpoint.microsoft.com/

Go to Endpoint security > Conditional access.

MEM Admin Page

Once in Conditional access, go to Named location and add the required countries locations and or IP ranges.

Named locations

To add as single IP use /32 bit subnet mask.

IP range

Once we have the named locations we can create the Conditional access policy.

Go to the policies tab and click on new policy.

Policies page

Give the policy a name and set the assignment to workload identities.

Conditional access policy

Next select the service principal for the Graph App registration.

Users or workload selection

Next on Cloud apps or actions select, All cloud apps

Cloud apps or actions selection

Next we need to specify which location will be included, which we set to any location as we will use the exclude to allow access from the named location we will connect from.

Conditions selection

Next select the location that will be excluded from the policy in my case it will be the public IP we added earlier to the named location.

Excluded Locations

Next we set the access, I will be blocking access as I only want to allow access from the one public IP we specified in the excluded location.

Access selection

With any conditional access policy I would recommend setting the policy to Report-only to confirm that only the access that we excepted to be blocked is.

Policy settings enabled section

To check if the policy is applying correctly against the service principal we can check the sign-in logs.

First connect using Graph query and then go to sign-in logs.

MEM Admin Blade

Select service principal sign-ins.

Sign-in logs

Click on the request ID and look at the Report-only tab to see if the access would have been blocked or allowed.

Sign-in logs

Once we confirm that the policy is applying the correct access, the conditional access can be set to on.

Now once we try to connect from an IP or location not on the excluded list, it will be blocked from accessing.

Graph Connection

When we connect from an allowed location we will get back the access token and be allow to connect.

Graph Connection Token

When creating App registration we should look at access controls for these as this can be over looked and lead to a security risk, most application do not need access from any location and should be limited to only the require location or IP address to give greater access control.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s