Conditional Access for XMAP

1. Create a trusted network by defining IP ranges
2. Create a conditional access policy to block access from all networks
   
3. Add an exclusion for our trusted network
   

1. Enable Global Secure Access

2. Define Trusted Network (Named Locations)

• Sign in to the Microsoft Entra admin center.
• Go to Security > Conditional Access > Named locations.
• Here, create a Named Location for your trusted network by adding specific IP ranges or countries. This will represent your trusted network.

3. Configure Conditional Access Policy

• Go to Security > Conditional Access > Policies.
• Create a new Conditional Access Policy.
• In the Assignments section:
  
  • Users or workload identities: Select the users or groups this policy applies to.
  • Cloud apps or actions: Select the enterprise app(s) that require protection.
• Under Conditions, select Locations, then:
  
  • Choose Any location and Exclude the trusted network you defined earlier.

4. Use Global Secure Access (GSA) for Network Conditions

This step is not required if you just want to restrict access based on IP range.

• With Global Secure Access, you can control network access based on the security posture. In your Conditional Access policy:
  
  • Under Conditions, go to Device filters or Network conditions.
  • Set it to require a connection from a trusted network or through Global Secure Access.
  • This will ensure the user must be connected through a trusted network, or using a GSA-secured tunnel, to access the app.

5. Block Access Outside Trusted Network

• In the Grant section of the policy, select Block access.
• Ensure the policy is set to only allow access when the user is on a trusted network (or connected through Global Secure Access).

6. Test and Monitor

• Test the policy by attempting access from both trusted and untrusted networks to ensure it works as expected.
• Monitor the results using Entra’s Sign-in logs to see if the Conditional Access policy is being applied correctly.