How to allow specific network in Intune MS365

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 14, 2024 الساعة 4:07 م
    Weekend Wiki
    مدير عام
    To allow a specific network in Microsoft Intune for your devices, you generally want to create a Conditional Access Policy that restricts access to corporate resources based on the network location. You can define trusted networks by using IP ranges (trusted locations) and then apply policies that allow access only from these networks.

    Here’s how to do it:

    1. Create a Trusted Location (IP Range)

    First, define the trusted network (such as an IP range) you want to allow.

    • Go to the Microsoft 365 Admin Center.
    • Navigate to Endpoint security > Conditional Access > Named locations.
    • Click + New location to create a new named location.
    • Select IP Range and provide the details for the trusted network’s IP range.
    • Name the location for easy identification.

    2. Create a Conditional Access Policy

    Now, create a Conditional Access Policy to restrict access based on the network location.

    • Go to Endpoint security > Conditional Access > Policies.
    • Click + New policy to create a new policy.
    • Name the policy (e.g., “Allow access from trusted network”).
    • Under Assignments, select the users or groups you want to apply this policy to.
    • In Cloud apps or actions, select the apps you want to target, such as Office 365 apps or SharePoint Online.
    • In Conditions, select Locations and enable Configure. Then, select the option to Include the trusted location you created earlier.
    • In Grant, choose to Grant access if the device is on a trusted network or meets any other required conditions you specify.
    • Optionally, configure other conditions (e.g., require MFA or compliant device).

    3. Enable the Policy

    Once the policy is configured, you can enable it. Make sure to test the policy with a small group of users to avoid disruptions.

    4. Monitor and Adjust

    After enabling the policy, monitor the Sign-ins report under Azure AD > Sign-ins to check how the policy is applied. Adjust as needed.

    By applying this Conditional Access policy, you restrict access to your corporate resources based on whether the user’s device is on the specific network you’ve allowed.

     

    Creating multiple Conditional Access Policies with different methods of enforcement can help secure your organization’s resources in various scenarios. Below are four example policies you can create using Microsoft Intune and Azure AD Conditional Access. Each policy has different conditions and enforcement actions to suit various business needs.

    1. Policy 1: Allow Access Only from Trusted IP Range (No MFA Required)

    • Name: Allow Access from Trusted Network (No MFA)
    • Users and Groups: Select a specific user group (e.g., Remote Workers)
    • Cloud Apps: Office 365, Exchange Online, SharePoint Online
    • Conditions:
      • Locations: Include trusted IP range (e.g., corporate office IP range)
    • Grant:
      • Grant access if the device is in the trusted IP range.
      • No MFA required.
    • Enable Policy: Yes

    Outcome: This policy allows users in the selected group to access corporate resources only from the specified trusted network without requiring MFA.

    2. Policy 2: Require MFA for External Access (All Locations)

    • Name: Require MFA for External Access
    • Users and Groups: All users
    • Cloud Apps: All apps or specific apps like Office 365, Exchange Online, Teams
    • Conditions:
      • Locations: Exclude trusted network locations (such as internal IP ranges)
    • Grant:
      • Require MFA for any access from outside the trusted IP range.
    • Enable Policy: Yes

    Outcome: This policy ensures that users who access resources from an external network (not within the trusted IP range) are required to perform MFA.

    3. Policy 3: Block Access for Jailbroken/Rooted Devices (All Locations)

    • Name: Block Jailbroken/Rooted Devices
    • Users and Groups: Select all users or specific group(s)
    • Cloud Apps: All apps or select critical apps (e.g., Exchange Online, SharePoint Online)
    • Conditions:
      • Device State: Include Jailbroken or rooted devices.
    • Grant:
      • Block access if the device is detected as jailbroken or rooted.
    • Enable Policy: Yes

    Outcome: This policy blocks users from accessing corporate resources using jailbroken or rooted devices to improve security.

    4. Policy 4: Require Device Compliance for Access (All Locations)

    • Name: Require Device Compliance
    • Users and Groups: Select all users or a specific group (e.g., employees)
    • Cloud Apps: Office 365, SharePoint, OneDrive
    • Conditions:
      • Device State: Only allow access if the device is compliant with Intune MDM policies (e.g., password requirements, encryption enabled).
    • Grant:
      • Grant access if the device is marked as compliant in Intune.
    • Enable Policy: Yes

    Outcome: This policy requires that only compliant devices (as per Intune policies) can access corporate resources, helping to enforce security controls.

    Summary of Policies

    Policy Name Conditions Grant Action
    Allow Access from Trusted Network (No MFA) Trusted IP Range Grant access (No MFA) No MFA required
    Require MFA for External Access External locations (exclude trusted networks) Require MFA MFA enforced for external access
    Block Jailbroken/Rooted Devices Jailbroken/Rooted devices Block access Prevent access from compromised devices
    Require Device Compliance Only compliant devices Grant access Access only on compliant devices

    These policies can be adjusted depending on your organization’s needs, ensuring a flexible yet secure access management solution.

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic