Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Set up a Conditional Access Policy for your Service Account

            Created by Tim Kefford, Modified on Tue, 21 Jan at 1:26 PM by Tim Kefford

            ** NOTE ** - This is a legacy article and no longer necessary due to updates in the product with service accounts no longer being needed. For updated instructions, see here.

            TABLE OF CONTENTS

            Introduction


            As a cloud application, at morbit we’re very aware of how important security is to our customers. As such we’ve taken precautions to ensure that not only is our platform secure by design, but that we share with our customers methods to further enhance your security whilst using our services.

            This document will provide instructions for setting up a conditional access policy in Microsoft Entra (formerly Azure Active Directory) to allow a service account to only be used from our hosting geographic location.

             This document is for use by customers using the Microsoft Teams and Graph API in morbit studio, and an expected technical competence in Microsoft 365 is assumed.


            Prerequisites


            Step 1 - Service Account

            This guide expects there to be a service account set up and configured for morbit studio as described in either the ‘Microsoft Teams - Application Setup and Permissions’ or ‘morbit studio – User Guide’ documents. If you have not done this, please refer to those guides before continuing.

            Step 2 - Microsoft Entra Access Permissions

            To create a Conditional Access policy in Microsoft Entra, you need either ‘Conditional Access Administrator’, ‘Security Administrator’ or ‘Global Administrator’ role assigned to the account logged in that is completing this guide. This account will be the assumed user in the steps below.

            Step 3 - Understand this document

            We urge you to read through this entire guide before starting the steps described, as we cannot know your Microsoft 365 setup and security requirements. These will be unique to your business, so only proceed when you understand the steps being implemented here.

            Suggested further reading:

            Support for these changes falls outside of the scope of technical support for this solution. This is a reference guide and you proceed at your own risk.


            Restrict Access Using Conditional Access Policy

            1. Login to Microsoft Entra at https://entra.microsoft.com/
            2. Expand the Identity menu and click Conditional Access.
            3. In the main window, select Named Locations and click the  button.
            4. In the Name field, add ‘AWS_Ireland’, and filter the list by adding the word “Ireland” into it. Click the check box next to Ireland.
            5. Click the Create button to complete.
            6. From the Conditional Access screen, now click Policies. Click the  button.
            7. In the new screen, give the Conditional Access Policy the Name, ‘MorbitStudio_ServiceAccount_AccessPolicy’.
            8. In the Users selection, click the ‘0 users and groups selected’ link. In the loaded-up options in the Include tab, choose Select users and groups and tick the Users and groups box. This will load up a list of all the users and groups in your tenant.
            9. Search and select the tick box of the morbit studio service account previously created. Click the Select button. Your screen should look like this:
            10. From Target resources, select the link ‘No target resources selected’. Choose Include > All Cloud Apps.
            11. From Conditions, select the link ‘0 conditions selected’. From the loaded options, select from Locations the ‘Not Configured’ link.
            12. Select Configure Yes/No to Yes. Leave Include to be ‘Any location’. Click the Exclude tab and select ‘Selected locations’.
            13. Click the ‘None’ link within the Select section and tick the AWS_Ireland location that was created in step 4 above. Click the Select button. Your screen should look like this: 
            14. In the Access Controls section, click ‘0 controls selected’ within the Grants section. In the Grant menu, select the Block access option and click the Selectbutton.
              1. At the bottom of the screen, in the Enable policy section, select On.
              2. Optionally you could select Report-only and monitor the policy over time. You will want to come back later and make sure to turn the policy to On.
            15. Click the Create button to complete the policy.


            Further information


            Monitoring the policy

            You can monitor the policy by reviewing the Sign-in logs in the Conditional Access section of Entra and selecting a row (use filters to simplify the view):


            Why choose country location, not IP address ranges?

            Getting the IP ranges from AWS Ireland is unreliable as a solution. Whilst AWS publish a list of ranges for the EU Ireland location that we host from, they are not the full list. This is demonstrated by the current service hosted on IP addresses that aren’t in a listed range. To safeguard against problems, the solution is to add the country to the excluded restrictions.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0