Share via

Azure web app - restrict access to Sharepoint online

Peter Stilgoe 21 Reputation points
2020-08-18T08:12:23.78+00:00

Hi

We have a Sharepoint Online provider hosted app using an Azure web app as the host.

Currently the Azure web app is open to the public, what is the best way to restrict access to it so only Sharepoint Online can talk to it?

Can we do this via Web app --> Networking --> Access restrictions?

We do not have a Vnet in place.

Cheers

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,740 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,807 questions
0 comments
Accepted answer
  1. Mark E 76 Reputation points
    2020-08-18T23:20:40.597+00:00

    If it’s being run on a web app you can use access restrictions to either put in place IP white lists or come up a level and tie in Azure AD authentication at the service level.

    IP restrictions: https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

    Authentication: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

    Word of caution with IP restrictions, you need to stay on top of the ACL if any endpoint users are on dynamic IPs

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerryzy 10,571 Reputation points
    2020-08-19T07:06:07.547+00:00

    Hi @Peter Stilgoe ,

    I'm agree with @Mark E 's suggestion , you can either restrict IP adress or authentication for the Azure Web App to achieve restrict access.

    Restrict public access to your Azure Web Apps with the IPSecurityRestrictions option

    0 comments
  2. Peter Stilgoe 21 Reputation points
    2020-08-19T10:45:41.333+00:00

    Thanks both, the app uses Oauth for authentication.

    So guess would need to look at restricting via SPO IP addresses and look at some kind of autmation / alerting to manage it.

  3. Achim Ismaili 1 Reputation point
    2021-04-26T22:38:32.72+00:00

    Hi @Peter Stilgoe ,

    I do absolutely not agree with the given answers of IP restrictions or Authentication.

    SharePoint Online is sending remote event calls to PHAs, which are anonymous. Same problem with webhook-event calls.
    Therefore, recommending authentication is not applicable.

    Regarding IP ranges, here is a link to SPO IP ranges, but MS also says, that Office 365 does not provide IP addresses of all required network endpoints.
    And on that page, there is also a changelog, so from time to time, the IPs will change. (!) I don't think, it is a good idea to secure a connection based on the IPs then.

    A better approach would probably be, to use some kind of service endpoints or a service tag.

    Unfortunately, I did not yet find an applicable service tag yet. It would already help a lot, if SharePoint Online would be included in the existing service tag AzureCloud (--> this service tag contains all datacenter public IP addresses). But I downloaded the list of 'All datacenter public IP addresses' and the first of the SPO IPs (13.107.136.x) was not included there. Hm. :(

    I would expect, that Microsoft provides also an endpoint for their M365 services or just for SPO, just as they do for e.g. AzureDevOps as service endpoint. This way, it would be possible to nicely harden web applications or azure functions that should only be reachable by SPO.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.