Share via

How to apply Entra Conditional Access Workload Identities for a 3rd party Enterprise Application?

Steven Nijhof 20 Reputation points
2024-01-19T07:33:59.5333333+00:00

We use various 3rd party SaaS applications that require an Enterprise Application in our Azure environment to integrate via applications such as EXO.

In order to limit the risk for this Enterprise Application we would like to limit the use of the Application ID and secret to only the IP addresses of the 3rd party. Our idea would be to create an Conditional Access policy and filter on this Enterprise Application only using Workload Identities. However, wihtin the Workload Identies filter you can only select custom-made Enterprise Applications. You cannot select Enterprise Applications published by a vendor as selected from the Microsoft Entra Gallery or in our case, deployed via the 3rd party app.

Until now we have not figured out how we can do this using Conditional Access policies. Is there a way to make this work? If not via Conditional Access policies, do you have any other suggestions?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Navya 19,795 Reputation points Microsoft External Staff Moderator
    2024-01-19T12:42:54.64+00:00

    Hi @Steven Nijhof
    Thank you for posting this in Microsoft Q&A.
    You are right, unfortunately workload identities are not supported third party SaaS and multi-tenanted applications. User's image One possible solution to this issue is to use Azure AD Application Proxy to publish the Enterprise Application to the internet. Azure AD Application Proxy allows you to securely publish internal web applications to the internet, without the need for a VPN or other complex network configuration.
    Once the Enterprise Application is published using Azure AD Application Proxy, you can create a Conditional Access policy that filters on the Application Proxy connector IP addresses. This will limit access to the Enterprise Application to only those IP addresses that are associated with the Application Proxy connector.
    For your reference: Application proxy
    Integrate with Defender for cloud apps : https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security
    Hope this helps. Do let us know if you any further queries.
    Thanks,
    Navya.
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator
    2024-01-19T12:19:16.7733333+00:00

    Configuring IP-based restrictions for third-party SaaS applications integrating with your Azure environment through Enterprise Applications can indeed be a challenging task, especially if those applications are selected from the Microsoft Entra Gallery or deployed via the third-party app and do not support the direct application of Conditional Access policies based on Workload Identities. Here are some approaches you might consider:

    1. Conditional Access Based on Named Locations:
      • If Conditional Access policies cannot be directly applied to the third-party Enterprise Applications, consider using Named Locations in Azure AD.
      • You can define the IP ranges of the third-party SaaS applications as Named Locations.
      • Then, create a Conditional Access policy that applies to all users but is scoped to these Named Locations. This policy would only allow access to the specified Enterprise Applications when the request comes from the defined IP ranges.
    2. Application Proxy with IP Restrictions:
      • If the third-party SaaS applications support integration through Azure AD Application Proxy, you can configure IP restrictions at the Application Proxy level.
      • This method allows you to restrict access to the application based on the source IP address.
    3. Using Azure Firewall or Network Security Groups (NSGs):
      • If your Azure environment is set up with a network layer that can control inbound and outbound traffic, you can configure Azure Firewall or NSGs to only allow traffic to the relevant Azure service endpoints from specific IP addresses.
    4. Custom Enterprise Application:
      • If the vendor's Enterprise Application doesn't support the necessary Conditional Access configuration, you might consider creating a custom Enterprise Application.
      • The custom Enterprise Application can be configured with the required IP restrictions and then integrated with the third-party service.
    5. Vendor-Specific Configuration:
      • Check if the third-party SaaS vendor provides any native options for IP whitelisting or similar security controls within their application or integration settings.
    6. Azure AD B2B:
      • For scenarios involving external users or services, consider using Azure AD B2B to manage and secure external access. This might provide more granular control over how external entities interact with your Azure environment.
    7. Consult with the Vendor:
      • Reach out to the third-party SaaS vendor for recommendations or best practices on how to securely integrate their application with Azure AD, particularly focusing on IP restrictions.

    Remember, while configuring these security measures, it's important to thoroughly test the access controls to ensure they work as intended without disrupting the normal operation of the applications.

    If you find this advice helpful, please consider accepting this answer. If you have further questions or need more specific guidance, feel free to ask.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.