It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda SecureEdge
Overview Documentation Training Certification Materials

Microsoft 365 Conditional Access Deployment

  • Last updated on

Conditional Access (CA) policies are essentially if-then statements that combine signals to make decisions and enforce organizational policies. You can configure Zero Trust Access to Microsoft 365 applications by integrating SecureEdge Access with the Microsoft Entra Conditional Access feature. With Conditional Access enabled, users will encounter an error from Microsoft when accessing M365 without routing traffic through SecureEdge Access. This measure ensures compliance with Zero Trust Access policies.

Note that Conditional Access requires an extended Azure license (Microsoft Entra ID Premium).

Requirements

Step 1 Create a Named location.

  1. Log into the Azure portal: https://portal.azure.com

  2. Go to Conditional Access > Named locations

  3. Create a location with Edge Service IP addresses.

    az-01.png

  4. Create a policy. 
    Example policy: This policy blocks access to Microsoft 365 applications from all locations, excluding the “named location (Edge Service IP)” for all or selected users and groups.

    • Select users of the policy.

      2_EntraID_CA_Policy_Users.png

    • Select the Office 365 application.
      Note: If you are using Microsoft Entra ID as an Identity Provider for SecureEdge Access, the application that was automatically created during the Entra ID integration process should be excluded from the target resources.

      az-03.png

    • Set conditions to enforce this policy across all locations, excluding the “named location” you created.

      az-04.pngaz-05.png

    • Finally, select Block Access next to Grant.

      az-06.png

Step 2 Create the Resources. 

To create a custom web application:

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. The chosen Tenant/Workspace is displayed in the top menu bar.

  3. From drop-down menu, select the workspace you want to configure a custom web application for.

  4. Go to Security > Apps and Resources

  5. The Apps and Resources page opens. In the top right of the window, click New Custom Application.

  6. Select New Custom Web Application from the drop-down menu.

  7. The New Custom Web Application window opens. Specify values for the following:

    • In the GENERAL section, specify the following:

      • Name – Enter a name for the custom application.

      • Description – Enter a description for the custom application. 

    • In the APPLICATION ENDPOINTS section, specify the following:

      • Protocol – The protocol used by this custom application. It can be either an HTTP or HTTPS protocol.

      • Port – The port used by this custom application. It can be either port 80 or 443.

      • Destination – Enter the destination and click +. Note: You must add the following URLs:

        *.aadg.akadns.net 
*.msidentity.com 
outlook.office365.com 
*.aadg.trafficmanager.net 
login.microsoftonline.com 
Login.windows.net

  • In the CATEGORY section, specify the value for the following:

    • Category – Select the category from the drop-down menu.

      se-resource.png

  1. Click Save.

After the configuration is complete, your resources will be created. On the Apps and Resources page, you can see the new custom web application. For more information, see How to Create Custom Applications.

se-custom-app.png

Step 3  Create a Zero Trust Access Policy

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. The chosen Tenant/Workspace is displayed in the top menu bar.

  3. From drop-down menu, select the workspace you want to configure a zero trust access policy for.

  4. In the left menu, go to Security > Access and click Zero Trust Access.

  5. The Zero Trust Access page opens. To create a new zero trust access policy, click Add policy.

  6. The Create Zero Trust Access Policy window opens. In the Policy tab, specify values for the following:

    • Name – Enter a unique name for the policy.

    • Description – Enter a brief description.

    • In the RESOURCES section, specify values for the following:

      • Resources Type – Select a resource type. You can choose between Internal resources (custom apps) and Public endpoint (SaaS).

      • Resources – Select a resource from the drop-down list, or type to search.

    • In the ACCESS CRITERIA section, specify values for the following:

      • Users – Select a user from the drop-down list, or type to search.

      • Groups – Select a group from the drop-down list, or type to search.

      • Device Posture – Select a device posture from the drop-down list. You can choose between Enforce Compliance, Log Violations, Disable.

      • Security Inspection – Click to enable. 

        zta-pol-01.png

  7. Click Next.

  8. (Optional) In the Device Posture tab, specify values for the following:

    • Screen lock enabled – Click to enable. 

    • Firewall enabled – Click to enable.

    • Antivirus enabled – Click to enable.

    • Block jailbroken devices – Click to enable.

    • Enforce disk encryption – Click to enable/disable.

    • Barracuda SecureEdge Access Agent updates – Click to enable/disable.

    • OS updates – Click to enable/disable. Click + to add more than one OS platform.

      zta-pol-02.png

  9. Click Save.

  10. In the Create Zero Trust Access Policy window, verify the status of newly created zero trust access policy.

  11. Click Finish.

After the configuration is completed, your zero trust access policy will be created. On the Zero Trust Access page, you can see the new zero trust access policy. For more information, see Zero Trust Access Policies.

zta-policy-table.png