fbpx

Securing the MSPMagic service account using Conditional Access

Requirements

  • Azure AD Premium P1/P2 license
  • Global administrator login to customer tenant

Summary

This is a step-by-step guide on how to configure a Conditional Access policy to restrict sign-in for MSPMagic’s Global Administrator account to MSPMagic’s IP address. Any attempts to connect to the tenant which do not originate from MSPMagic’s public IP address will be blocked.

Note: This process must be performed on each tenant individually. We recommend that this policy be implemented for all customer tenants which are onboarded into MSPMagic.

Steps

Login to the customer tenant using a global administrator account and navigate to Azure Active Directory.

Create a trusted named location

From the Azure Active Directory blade navigate to Security > Named Locations. Select + IP ranges location and enter ‘MSPMagic Network’ into the name field. Check the box labelled Mark as trusted location. Click + to add an IP range and enter ‘20.188.223.13/32’ into the textbox then click Add. Confirm that your settings match those shown below then click Create to add the named location.

Create a conditional access policy

From the Azure Active Directory blade click on Security > Conditional Access. Click on + New policy and name the policy ‘Restrict MSPMagic access’.

Click on the Users and groups assignment then on the Include tab select Select users and groups then check the box labelled Users and groups. Locate the MSPMagic Administrator account using the users and groups selector and click Select.

Click on the Cloud apps or actions assignment then on the Include tab select All cloud apps.

Click on the Conditions assignment then Locations. Set Control user access based on their physical location to Yes and then from the Include tab select Any location.

Next, click on the Exclude tab and select Selected locations. Click on the Select link and select the location we created earlier ‘MSPMagic Network‘ and click Select.

Click on Grant in the Access controls section and from the fly in menu select ‘Block access‘. In the For multiple controls section, select the radio button labelled Require all the selected controls and then click on Select.

Finally, set Enable policy to ‘On‘ and then click ‘Create’.

Verify the conditional access policy

Verify that allow works

From the conditional access policies screen click on What if. Click on the User field and select the MSPMagic Administrator account. Leave the Cloud apps or actions field set to Any cloud app or action. In the IP Address field enter the IP ‘20.188.223.13’ and select any country from the dropdown.

Click on What if and verify that the ‘Restrict MSPMagic access’ policy appears in the Policies that will not apply tab.

Verify that block works

From the conditional access policies screen click on What if. Click on the User field and select the MSPMagic Administrator account. Leave the Cloud apps or actions field set to Any cloud app or action. In the IP Address field enter any valid public IP address other than the MSPMagic IP address eg ‘8.8.8.8’.

Click on What if and verify that the ‘Restrict MSPMagic access’ policy appears in the Policies that will apply tab.

Get Started!

The first three tenants are free! No credit card required.

Sign Up