Share via

permission issue

Sree 1,971 Reputation points
2021-09-09T18:03:48.577+00:00

Conditional access issue

Outlook | Windows | Classic Outlook for Windows | For business
Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

Answer accepted by question author

AmanpreetSingh-MSFT 56,971 Reputation points Moderator
2021-09-10T17:01:05.737+00:00

Hi @JustinMicheal-7973 • Thank you for reaching out.

If I understood your requirement correctly, you want to allow a specific set of users to be able to access Azure Portal only from a particular IP Address. Correct me if I am wrong.

If my understanding is correct, you don't need to create 2 Policies for this purpose. You can configure the policy settings as mentioned below:

  1. Create a Named Location under Azure Active Directory > Security > Conditional Access > Named locations, e.g. Location1. For specific IP Address (not a subnet) use /32 CIDR.
  2. Create a conditional access policy with below conditions:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Add Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
    d) Under Access Control section > Grant > Block Access
    e) Enable Policy > On > Create.

This policy will restrict given set of users from accessing Azure Portal from anywhere except Location1 which represents the IP address to be allowed.

When you create 2 policies, where Policy1 allows access and Policy 2 blocks access, both policies will be evaluated and the most restrictive one takes precedence. Which means access will be blocked in that case.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,971 Reputation points Moderator
    2021-09-14T19:17:25.017+00:00

    Hi @JustinMicheal-7973 • I did test the scenario in my lab. As you correctly mentioned, we do require 2 policies to block these users from accessing other apps. Could you please confirm if you have configured the 2 policies as mentioned below:

    Policy1:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Add Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
    d) Under Access Control section > Grant > Block Access

    Policy2:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Include All Cloud Apps and Exclude Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location or leave it as Not configured.
    d) Under Access Control section > Grant > Block Access

    If this is how you have configured the policies and still facing the issue, kindly share the correlation ID and timestamp (with time zone) from the sign-in activity when the policy with exception gets applied and users' access is blocked.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.