question

ParamJadhao avatar image
0 Votes"
ParamJadhao asked JorgeMartinezV-9470 commented

Can we restrict azure portal (https://portal.azure.com/) access from outside internet.

Can we restrict azure portal (https://portal.azure.com/) access from outside internet. I want to access it from particular VM which I create from same subscription.

azure-active-directoryazure-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered JorgeMartinezV-9470 commented

Hello @ParamJadhao · Thank you for reaching out.

Yes, we can restrict access to Azure Portal by using Condition Access Policy, which is a feature included with Azure AD Premium P1 License.

Steps:

  • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Named locations > +New Location > Type a name and add IP address that you want to allow Azure Portal access from. To add a specific IP use /32 CIDR value as shown below:
    29287-image.png

  • Navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > +New Policy > Configure below settings:

  • Users and Groups : Select required users.

  • Cloud apps or actions : Select apps > Microsoft Azure Management.

  • Conditions : Locations > Include > Any location. Exclude > select the location created in first step,.

  • Grant : Block access

  • Enable policy > On > Click on Create button.

This will block access to Azure Portal from Any location, except your custom location.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (21.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ParamJadhao · Have you had a chance to test it out? Feel free to tag me in your reply if you have any further question.

0 Votes 0 ·

That's really great. Its working. Thank you so much for your help.

0 Votes 0 ·

Hi @ParamJadhao , I followed the same procedure which amanpreet has mentioned above . for me users are blocking those who are trying to connect from public as well as from particular Vm which i mentioned .
Help me out from this..

0 Votes 0 ·

Take in consideration that this procedure will block the following services:
• Azure portal
• Azure Resource Manager provider
• Classic deployment model APIs
• Azure PowerShell
• Azure CLI
• Visual Studio subscriptions administrator portal
• Azure DevOps
• Azure Data Factory portal

0 Votes 0 ·
michev avatar image
3 Votes"
michev answered

By definition, being a public cloud offering, Azure is available from anywhere, any time. If you want to restrict access, you need to enforce this as part of the login process, by leveraging something like Conditional Access, or redirecting the auth process (federation) and imposing restrictions there.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CharlesTiu avatar image
0 Votes"
CharlesTiu answered

Can provide some link or guide on the "redirecting the auth process (federation) and imposing restrictions there" part?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GoyalDharmender-8185 avatar image
0 Votes"
GoyalDharmender-8185 answered

@amanpreetsingh-msft

Assuming that I use this feature to block portal access to a group called "Developers", will this feature also block the CLI access? (is it possible to allow CLI access but block the access to portal.azure.com?)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.