admin workstation for access

Question

admin workstation for access

Vivak Hangloo 91

we need to controll admin access for our azure/O365 portal from only a couple of machines ono our network . (like admin terminal servers)

Q: How can be block access to Admin portals for our O365/Azure from everywhere else and only allow from this admin terminal server

Q:What IP's and URL does the admin Terminal server need access to manage using powershell and portals
We do not allow full internet access to the admin terminal server so have to specify which IP's and URL they need to access to manage all MS 365 and Azure services.

1 answer

Your answer

Answer 1

Hello @Vivak Hangloo · Thank you for reaching out. Please find my response inline.

Q: How can be block access to Admin portals for our O365/Azure from everywhere else and only allow from this admin terminal server?

Yes, we can restrict access to Azure Portal only from specific server/servers by using Condition Access Policy, which is a feature included with Azure AD Premium P1 License.

Steps:

Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Named locations > +New Location > Type a name and add IP address that you want to allow Azure Portal access from. To add a specific IP use /32 CIDR value as shown below:
Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > +New Policy > Configure below settings:
Users and Groups : Select required users.
Cloud apps or actions : Select apps > Microsoft Azure Management.
Conditions : Locations > Include > Any location. Exclude > select the location created in first step,.
Grant : Block access
Enable policy > On > Click on Create button.

This will block access to Azure Portal from Any location, except your custom location.

Q: What IP's and URL does the admin Terminal server need access to manage using PowerShell and portals?

The required IP Ranges and Ports to access O365 and Azure are documented here: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Vivak Hangloo 91 Reputation points

2020-10-20T06:52:11.16+00:00

Looks good thanks Aman.
However the admin station will use our proxy solution which will always have same IP address when it hits conditional access policy

If i use this as Trusted IP , any other workstation that uses our proxy will still be able to access the Portal.

i mean for COnditional Access the IP with whic any of our system will show as source will be the IP of the Proxy .

We do not have a dedicated public IP for the terminal admins station .
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-10-28T08:45:02.247+00:00

Hi @Vivak Hangloo · In that case Conditional Access won't help. You may consider configuring your proxy or firewall to whitelist the URLs specified here only for Admin station.

Share via

admin workstation for access

1 answer

Your answer