This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 51%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
I have an app service that I want to close down to ALL public access. They can neither read nor write.
If you're apart of the companies Entra compliant devices I want to allow them to make inbound and outbound requests.
But at the same time I need to allow services from our virtual network to access the services.
E.g. I have a service Bus topic that delivers messages to my API (this should be allowed)
I have an Entra ID user that through an website that makes a GET request (this should be allowed)
There's an user that is NOT on a Entra compliant device that makes a GET request (this should NOT be allowed)
In short:
Is there a way to lock down our services, doesn't matter if they're API's, websites or what have you.
it's very important to me that they have to have MFA setup, in the same way that you can lock down teams to not allow you access unless you're on a compliant devices like so:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Mikkel Glerup (Marine Travel), Thanks for posting in Q&A. For the app service, maybe you can create Microsoft Entra registered application for the app service and add it to conditional access policy.
And configure "Require multifactor authentication" and "Require device to be marked as compliant" in conditional access policy under grant.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant
You can test to see if it can accomplish what you want.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Mikkel Glerup (Marine Travel), Hope the above information can help. If there's anything else we can help, feel free to let us know.