Edit

Enable compliant network check with Conditional Access

  • Article

Organizations who use Conditional Access along with the Global Secure Access preview, can prevent malicious access to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) apps using multiple conditions to provide defense-in-depth. These conditions may include device compliance, location, and more to provide protection against user identity or token theft. Global Secure Access introduces the concept of a compliant network within Conditional Access and continuous access evaluation. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators.

The Global Secure Access Client installed on devices or configured remote network allows administrators to secure resources behind a compliant network with advanced Conditional Access controls. This compliant network makes it easier for administrators to manage and maintain, without having to maintain a list of all of an organization's locations IP addresses. Administrators don't need to hairpin traffic through their organization's VPN egress points to ensure security.

This compliant network check is specific to each tenant.

  • Using this check you can ensure that other organizations using Microsoft's Global Secure Access services can't access your resources.
    • For example: Contoso can protect their services like Exchange Online and SharePoint Online behind their compliant network check to ensure only Contoso users can access these resources.
    • If another organization like Fabrikam was using a compliant network check, they wouldn't pass Contoso's compliant network check.

The compliant network is different than IPv4, IPv6, or geographic locations you may configure in Microsoft Entra ID. No administrator upkeep is required.

Prerequisites

  • Administrators who interact with Global Secure Access preview features must have one or more of the following role assignments depending on the tasks they're performing.
  • The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
  • To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.

Known limitations

  • Continuous access evaluation is not currently supported for compliant network check.
  • Organizations can protect other Microsoft Entra integrated apps with Conditional Access policies requiring a compliant network check. During the preview, administrators must choose the individual applications from the app picker instead of choosing All cloud apps. Do not choose All cloud apps.

Enable Global Secure Access signaling for Conditional Access

To enable the required setting to allow the compliant network check, an administrator must take the following steps.

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access (Preview) > Global settings > Session management Adaptive access.
  3. Select the toggle to Enable Global Secure Access signaling in Conditional Access.
  4. Browse to Protection > Conditional Access > Named locations.
    1. Confirm you have a location called All Compliant Network locations with location type Network Access. Organizations can optionally mark this location as trusted.

Screenshot showing the toggle to enable signaling in Conditional Access.

Caution

If your organization has active Conditional Access policies based on compliant network check, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.

Protect Exchange and SharePoint Online behind the compliant network

The following example shows a Conditional Access policy that requires Exchange Online and SharePoint Online to be accessed from behind a compliant network as part of the preview.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  6. Under Target resources > Include, and select Select apps.
    1. Choose Office 365 Exchange Online and/or Office 365 SharePoint Online.
    2. Office 365 apps are currently NOT supported, so do not select this option.
  7. Under Conditions > Location.
    1. Set Configure to Yes
    2. Under Include, select Any location.
    3. Under Exclude, select Selected locations
      1. Select the All Compliant Network locations location.
    4. Select Select.
  8. Under Access controls:
    1. Grant, select Block Access, and select Select.
  9. Confirm your settings and set Enable policy to Report-only.
  10. Select Create to create to enable your policy.

After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
  • Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.

Try your compliant network policy

  1. On an end-user device with the NaaS client installed and running
  2. Browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you have access to resources.
  3. Pause the NaaS client by right-clicking the application in the Windows tray and selecting Pause.
  4. Browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you're blocked from accessing resources with an error message that says You cannot access this right now.

Screenshot showing error message in browser window You can't access this right now.

Troubleshooting

Verify the new named location was automatically created using Microsoft Graph.

GET https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations

Screenshot showing Graph Explorer results of query

Terms of Use

Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.

Next steps

The Global Secure Access Client for Windows (preview)