Search code examples
azureopenvpnazureportalazure-policyazure-vpn

Azure Conditional Access exclusively through Azure VPN client

I am working on my azure AD on which I create a azure vpn OPENSSL which it allow the connection through azure AD.

Everything works just fine at this point as I can connect to my vpn client.

At this stage, I really wanted to test this connection using azure AD Conditional access to force MFA during the login. I head to the vpn and if I connect, I am asked for the MFA. Which is great.

But there is something that I can't figure out on my own.

I would like to be able to connect to azure Portal exclusively if I am connected to the vpn.

So I went to Azure AD > Named location and I added the VPN IPs ranges and marked them as trusted.

In my azure VPN client when I connect I have those values.

VPN Routes: 
192.xxx.xx.x/24
172.xx.x.x/24

So in my Named location IP, I set both those values.

I went to Azure AD > Security > Conditional access and configured as follow

enter image description here

Under Users and Groups I selected the test user that I want to include in this policy

In Cloud app I choose Microsoft Azure Management

And under Conditions > Locations I selected the Named Location I created with the IP ranges that I marked as trusted.

and in Grant I selected Require multi-factor authentication

After saving those configuration, I logged out and tried to login again without being connected to the vpn, but here, after approving the MFA I am allowed to access the azure portal.

What should I do if I want to block all the local access to azure portal if I am not connected to the azure vpn?

Thank you very much for any help that you can provide.

UPDATE: I tried a different approach. In Name Location I declared my IP range (myIP/32), and in Conditional Access > Location under Include > Any Location and in Exclude > Name Location(my ip)

Than in Grant I selected Block Access

Now I can access the portal from my IP, but if I create a VM and try to login to azure portal, I am getting an error for permission denied. Which is great.

But still I am not able to make it work with my azure vpn client.

Under Name Location I tried to add the azure VPN IP Routes, but I am still unable to connect to azure portal.

Please, any help or clarification about this?

Thank you so much

Solution

  • You can't use private IP addresses for the named location unfortunately.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#ip-address-ranges

    I'm not sure if what you are trying to do is actually possible. In my opinion, it's not really necessary anyway as you really want to restrict access based on identity rather than location. I think the best you can do here is to continue to use conditional access to restrict access to particular users, enforce MFA and maybe enforce trusted/compliant devices if you want to.