Use of ‘Conditional Access’ to reduce unauthorized access to Dynamics 365 CRM by location or IP

By | June 27, 2022

Introduction

Data breaches and unauthorized access are two of the prime headaches for any Dynamics 365 CRM Administrator. Sometimes, there can arise a situation where we want to block access of CRM to a specific location. This can be done using ‘Conditional access’ in Azure Portal. Below are the pre-requisites for the same:

  • A subscription to Azure Active Directory Premium
  • A federated Azure Active Directory tenant

Once you make sure you have the above requirements, follow the below steps to achieve conditional access.

This can be done with two different ways –

  1. By selecting a set of or any specific country.
    1. This can be used when we want to block the access to CRM from a specific country to make data more secure.
  2. By restricting a specific IP address range.
    1. This can be used when we want to block the access to CRM from a specific Public IP address domain.

So first, let’s see how to restrict by selecting a set of or any specific country.

1. Log-In to the Azure Portal.

2. In Services, search for Azure AD Conditional Access.

3. The conditional access works on two things –

      • Named Locations
      • Policies which consist of the above mentioned Named Locations

4. So, head over to the Named locations first.

conditional access

5. For demonstration purpose, we are blocking access from country Argentina.

conditional access

6. After creating a new location, click on Policies -> New Policy.

conditional access

7. While creating a new policy, you can select to block either All Users or any number of particular users or azure group.

conditional access

8. In the next step, choose which cloud apps should be blocked. Here, you can select either all cloud apps or any number of particular cloud apps. Here, I’m selecting Common Data Service (which will block out CRM access). Under ‘Enable Policy’, select ‘On’ and click on ‘create’, as shown in the below screenshot:

conditional access

9. In the conditions, select the location that we recently created.

conditional access

10. Go to Access controls -> Under ‘Grant’, select Block access.

conditional access

11. After successful creation, you will get the below notification:

conditional access

12. Now, when a user will try to access the CRM from Argentina, an error message will be shown as below:

conditional access

Now, we will see how to restrict by a specific IP address range.

  1. Log-In to the Azure Portal.
  2. In Services, search for Azure AD Conditional Access.
  3. Head over to the Named locations first.

conditional access

  1. In case of blocking access using IP address, follow the steps given below:

conditional access

  1. And while creating Policy, select the location we created in step 4 (Suspicious IP Range).

conditional access

  1. Now, when a user will try to access the CRM from the specific IP range, an error message will be shown as below:

conditional access

Conclusion

In this way, you can easily restrict access from a specific country or a group of IP addresses from accessing any or all of your global apps.