Microsoft Entra

restricting cloud app access to idp proxy only overview this guide will help you configure microsoft entra id (formerly azure ad) conditional access policies to ensure that specific cloud applications can only be accessed through keystrike cloud protector's idp proxy, blocking direct authentication attempts prerequisites microsoft entra id p1 or p2 license (required for conditional access) global administrator or conditional access administrator role list of cloud applications you want to protect with the keystrike cloud protector (the applications must be registered for your microsoft entra id tenant) step 1 create a named location for idp proxy navigate to microsoft entra admin center go to entra microsoft com sign in with an account that has permissions to manage conditional access create named location navigate to id protection → risk based conditional access → manage \ named locations click + ip ranges location configure the location name keystrike idp proxy (or similar descriptive name) ip ranges enter the idp proxy ip address(es), by clicking the plus icon format \<tbd> \<tbd> /32 (for single ip) or \<tbd> \<tbd> /24 (for range) in the beta phase use this ip address 35 242 151 26/32 the organization specific ip addresses will be displayed in the admin panel later mark as trusted location ✅ check this box click create step 2 create the conditional access policy navigate to conditional access policies go to id protection → risk based conditional access → policies click + new policy configure basic settings name require keystrike cloud protector (or similar descriptive name) enable policy start with report only for testing assignments users include select the users and groups that should be using the keystrike cloud protector exclude consider excluding emergency access accounts service accounts (if applicable) your admin account during testing target resources include select select resources choose the specific applications you want to protect include any resource that should only be accessible via keystrike cloud protector exclude leave empty (or exclude apps that should allow direct access) conditions locations include any network or location exclude selected networks and locations select the named location you created (e g keystrike idp proxy) access controls grant select block access click select session leave default (no configuration needed) enable report only mode set enable policy to report only click create step 3 test the policy monitor for 24 48 hours go to entra id → monitoring & health → sign in logs filter by conditional access status look for entries showing your policy being triggered verify legitimate traffic from idp proxy is not being blocked review impact check that users can still access apps through keystrike cloud protector confirm direct access attempts are being identified (but not yet blocked) step 4 enable the policy once testing confirms the policy works correctly edit the policy navigate back to your conditional access policy change enable policy from report only to on click save immediate effect the policy takes effect immediately direct access to protected apps will now be blocked only access through your idp proxy will be allowed verification steps test direct access (should fail) from a device without the keystrike cloud protector try to access one of your protected applications directly you should see an access denied message test through cloud protector (should succeed) from a device with the keystrike cloud protector installed access the same application authentication should work normally through the idp proxy troubleshooting common issues users can't access apps through cloud protector verify idp proxy ip addresses are correct in the named location check if the idp proxy addresses are correct ensure the named location is marked as "trusted" policy not triggering confirm the policy is enabled (not just report only) verify the correct applications are selected check user assignments include the test users emergency access needed keep emergency access accounts excluded from the policy have a process to quickly disable the policy if needed consider excluding specific admin accounts during initial rollout (break the glass account) monitoring regularly review sign ins logs for blocked attempts monitor for any legitimate traffic being incorrectly blocked set up alerts for unusual access patterns this policy ensures that authentication to your protected saas applications can only occur through the keystrike cloud protector's idp proxy, enforcing device based security controls and preventing direct access bypass attempts