Enable compliant network check with Conditional Access

Organizations who use Conditional Access along with the Global Secure Access, can prevent malicious access to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) apps using multiple conditions to provide defense-in-depth. These conditions might include device compliance, location, and more to provide protection against user identity or token theft. Global Secure Access introduces the concept of a compliant network within Microsoft Entra ID Conditional Access. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators.

The Global Secure Access Client installed on devices or users behind configured remote networks allows administrators to secure resources behind a compliant network with advanced Conditional Access controls. This compliant network feature makes it easier for administrators to manage access policies, without having to maintain a list of egress IP addresses. This removes the requirement to hairpin traffic through organization's VPN.

Compliant network check enforcement

Compliant network enforcement reduces the risk of token theft/replay attacks. Compliant network enforcement happens at the authentication plane (generally available) and at the data plane (preview). Authentication plane enforcement is performed by Microsoft Entra ID at the time of user authentication. If an adversary has stolen a session token and attempts to replay it from a device that is not connected to your organization’s compliant network (for example, requesting an access token with a stolen refresh token), Entra ID will immediately deny the request and further access will be blocked. Data plane enforcement works with services that support Continuous Access Evaluation (CAE) - currently, only SharePoint Online. With apps that support CAE, stolen access tokens that are replayed outside your tenant’s compliant network will be rejected by the application in near-real time. Without CAE, a stolen access token will last up to its full lifetime (default 60-90 minutes).

This compliant network check is specific to each tenant.

  • Using this check you can ensure that other organizations using Microsoft's Global Secure Access services can't access your resources.
    • For example: Contoso can protect their services like Exchange Online and SharePoint Online behind their compliant network check to ensure only Contoso users can access these resources.
    • If another organization like Fabrikam was using a compliant network check, they wouldn't pass Contoso's compliant network check.

The compliant network is different than IPv4, IPv6, or geographic locations you might configure in Microsoft Entra. Administrators are not required to review and maintain compliant network IP addresses/ranges, strengthening the security posture and minimizing the ongoing administrative overhead.

Prerequisites

Known limitations

  • Compliant network check data plane enforcement (preview) with Continuous Access Evaluation is supported for SharePoint Online and Exchange Online.
  • Enabling Global Secure Access Conditional Access signaling enables signaling for both authentication plane (Microsoft Entra ID) and data plane signaling (preview). It is not currently possible to enable these settings separately.
  • Compliant network check is currently not supported for Private Access applications.
  • After a Windows device resumes from sleep or hibernate, the Teams client may display an error banner prompting the user to sign in. This happens because the Teams client is attempting to connect to SharePoint online prior to the GSA client establishing a tunnel for the Microsoft traffic profile, which fails the Compliant Network check. Clicking the 'Sign In' button after the GSA client is reconnected will resume the user session in Teams.

Enable Global Secure Access signaling for Conditional Access

To enable the required setting to allow the compliant network check, an administrator must take the following steps.

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Settings > Session management > Adaptive access.
  3. Select the toggle to Enable CA Signaling for Entra ID (covering all cloud apps). This will automatically enable CAE signaling for Office 365 (preview).
  4. Browse to Protection > Conditional Access > Named locations.
    1. Confirm you have a location called All Compliant Network locations with location type Network Access. Organizations can optionally mark this location as trusted.

Screenshot showing the toggle to enable signaling in Conditional Access.

Caution

If your organization has active Conditional Access policies based on compliant network check, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.

Protect your resources behind the compliant network

The compliant network Conditional Access policy can be used to protect your Microsoft and third-party applications. A typical policy will have a 'Block' grant for all network locations except Compliant Network. The following example demonstrates the steps to configure this type of policy:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  6. Under Target resources > Include, and select All resources (formerly 'All cloud apps').
    1. If your organization is enrolling devices into Microsoft Intune, it is recommended to exclude the applications Microsoft Intune Enrollment and Microsoft Intune from your Conditional Access policy to avoid a circular dependency.
  7. Under Network.
    1. Set Configure to Yes.
    2. Under Include, select Any location.
    3. Under Exclude, select the All Compliant Network locations location.
  8. Under Access controls:
    1. Grant, select Block Access, and select Select.
  9. Confirm your settings and set Enable policy to On.
  10. Select the Create button to create to enable your policy.

Note

Use Global Secure Access along with Conditional Access policies that require a Compliant Network for All Resources.

Global Secure Access resources are automatically excluded from the Conditional Access policy when Compliant Network is enabled in the policy. There's no explicit resource exclusion required. These automatic exclusions are required to ensure the Global Secure Access client is not blocked from accessing the resources it needs. The resources Global Secure Access needs are:

  • Global Secure Access Traffic Profiles
  • Global Secure Access Policy Service (internal service)

Sign-in events for authentication of excluded Global Secure Access resources appear in the Microsoft Entra ID sign-in logs as:

  • Internet resources with Global Secure Access
  • Microsoft apps with Global Secure Access
  • All private resources with Global Secure Access
  • ZTNA Policy Service

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
  • Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

Try your compliant network policy

  1. On an end-user device with the Global Secure Access client installed and running, browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you have access to resources.
  2. Pause the Global Secure Access client by right-clicking the application in the Windows tray and selecting Pause.
  3. Browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you're blocked from accessing resources with an error message that says You cannot access this right now.

Screenshot showing error message in browser window You can't access this right now.

Troubleshooting

Verify the new named location was automatically created using Microsoft Graph.

GET https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations

Screenshot showing Graph Explorer results of query

Next steps

Universal Tenant Restrictions