Only allow Entra ID devices to make inbound and outbound requests

Mikkel Glerup (Marine Travel) 0 Reputation points

I have an app service that I want to close down to ALL public access. They can neither read nor write.

If you're apart of the companies Entra compliant devices I want to allow them to make inbound and outbound requests.
But at the same time I need to allow services from our virtual network to access the services.
E.g. I have a service Bus topic that delivers messages to my API (this should be allowed)
I have an Entra ID user that through an website that makes a GET request (this should be allowed)
There's an user that is NOT on a Entra compliant device that makes a GET request (this should NOT be allowed)

In short:
Is there a way to lock down our services, doesn't matter if they're API's, websites or what have you.
it's very important to me that they have to have MFA setup, in the same way that you can lock down teams to not allow you access unless you're on a compliant devices like so:100752649-2240ca00-33e9-11eb-9f30-0ab2ebb2c0e0

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
367 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,208 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,185 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 45,251 Reputation points Microsoft Vendor

    @Mikkel Glerup (Marine Travel), Thanks for posting in Q&A. For the app service, maybe you can create Microsoft Entra registered application for the app service and add it to conditional access policy.

    And configure "Require multifactor authentication" and "Require device to be marked as compliant" in conditional access policy under grant.

    You can test to see if it can accomplish what you want.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.