Azure AD Conditional Access (CA) rules can be implemented to provide an additional layer of security by integrating with the virtual machines (VMs) deployed by the Frame orchestrator. Administrators can define conditions that must be met before users can access certain applications and/or resources. By combining consistent IP addresses with Azure AD CA rules, organizations can better safeguard their VMs and protect against potential security threats.
In this solution guide, I will provide detailed steps describing how to integrate Azure AD Conditional Access Rules with Frame. We'll start by configuring a Frame account where access to Office 365 (O365) Cloud Services will be allowed from the Frame workload virtual machines (VMs) deployed in Azure. Additionally, it is possible to use similar logic and configuration in other scenarios as well (denying access to other VMs, requiring use of multi-factor authentication, etc.)
In order for this configuration to work with Microsoft Azure, you will need to use a Frame Account with Customer-Managed Networking.
In this guide, we will show you how to:
- Create a Customer-managed Virtual Network (VNet) using Azure
- Create a NAT Gateway (NAT GW) and assign it to the subnet of your VNet
- Create Azure AD Conditional Access Rules (Azure AD CA Rules) to allow access to O365 from within Frame workload VMs.
- Create a Frame Account with Customer-Managed Network
The public-facing IP addresses on the Internet-connected VMs are always the same. Once this is in place, Azure AD Conditional Access (CA) rules can be implemented to provide an additional layer of security.
The following configuration is specific to Azure. However, the networking specifics are generic and can be applied to any other cloud/hybrid infrastructure (AWS, GCP, AHV, etc).
1. Create a Customer-managed Virtual Network (VNet) in Azure
Start by going to the Azure Portal and logging in to an account with a user that has the "Contributor" or "Network Contributor" role assigned at the Subscription level in the Azure Active Directory tenant.
Next, using the Official Microsoft guide, create a Virtual Network.
Here is a summary of my VNET for reference:
No public IP addresses are assigned as we want our Frame workload VMs to have only private IP addresses assigned to the network interface cards (NICs).
2. Create and Configure the Azure NAT Gateway
Now we'll move on to create a NAT Gateway (NAT GW) with one public-facing IP address. From there, we will assign that NAT GW to the subnet of our VNET.
Again, we will go to the Azure Portal https://portal.azure.com/ and log in to an account with a user that has the "Contributor" or "Network Contributor" role assigned to the Subscription level in the Azure Active Directory tenant.
Following the instructions in the Official Microsoft guide, create a NAT GW.
Create a new public IP address without usage of the Public IP prefix.
For reference, here is the summary for my NAT GW:
I assigned this NAT GW to demo_subnet which was deployed in the previous step as part of VNet_demo_01. The result of this configuration, from the perspective of the Frame workload VMs is that every VM will have a private IP address assigned to its NIC; however, the public-facing IP address (IP address through which the VM will gain access to the Internet) will always be the same one assigned from the NAT GW.
3. Create Azure AD Conditional Access Rule
Now it's time to allow access to Office 365 services only from the NAT Gateway's public IP address by setting up an Azure AD Conditional Access Rule.
RBAC (Role-Based Access Control) Requirements
To create and manage Azure AD Conditional Access Rules in Azure, you need to have “Global Administrator”, "Security Administrator" or the "Conditional Access Administrator" role assigned to your account.
To create Conditional Access rules in Azure AD, you will need either an:
- Azure AD Premium P1 license or
- Azure AD Premium P2 license or
- Microsoft 365 E5 or Enterprise Mobility + Security E5
Step 1. Create Named Location
Go to your Azure Active Directory Console and click on Security under the Manage section.
Under the Manage section, click on Named locations.
On this page, click on the ➕ IP ranges location button and enter a name. Then check the “Mark as trusted location” checkbox, click on the ➕ button below, and add the Outbound IP Address of your NAT GW followed by
/32. Finally, click on Create.
Step 2. Create Conditional Access Rule
Under the Protect section, open the Conditional Access tab.
Select ➕ New Policy.
Provide a name for your new policy. Under the Assignment section, select Users, then select users and/or a group of users who will be protected by this policy. In our case, we chose All Users, but you can select only users that will be accessing Frame, as an example.
Next, go to Cloud Apps or actions and choose the Select apps option from the Include section, then click Select, search for “Office 365” and select it. You should see this screen:
In the Conditions tab, go to Location, choose the selected location, click Select and pick up the Named Location with the NAT GW's Public IP that you created before. Don't forget to click Select.
Next, click Grant under Access Control and select Grant Access and Require multi-factor authentication. Note that location is marked as trusted when you created the named location so it will not ask your user for MFA every time they try to access O365 services in this scenario.
Lastly, we will set Enable policy to “On” and hit the Create button.
You must ensure this policy does not affect other services. We strongly advise that you choose “Report-only” first for testing purposes. Once you have confirmed that no other service disruption could occur, you can confidently enable this in your production environment.
4. Create a Frame Account with a Customer-Managed Network
Now you have everything ready to create your Frame Account with workload VMs whose access to O365 will be granted by Azure AD. Once you confirm that everything is working correctly, you can use the same logic to deny access to other VMs in your tenant if that is required, or to allow/deny access to other cloud services as well.
In order to create a new Frame Account, you need to have a Customer Administrator or Organization Administrator Role.
Log in to your Frame environment, navigate to the Organization where you wish to deploy your new Frame Account and create a new account.
Enter the initial details: account name, Account URL, select Cloud Provider, and Region. Under Networking choose Customer-Managed Networking. A new option will appear to select the VNet with the Subnet to which NAT GW is attached. Select Private Mode as you want your workloads to have only private IPs assigned to NIC. Click Next.
Select your desired Base Image Family, Instance Type, and then confirm that you have the proper Microsoft Windows 10 licensing. Click Next.
Review the Summary Page and click Create.
Once you are in your Frame Account, add a Launchpad, and click the Publish button to begin the publish. Now it is time to login as an end user, start the Frame Session, and check if our configuration is working.
That's it! Your Frame workload VMs are getting private IP addresses from the VNet private IP range while the public-facing IP address is the one from NAT GW and your Azure AD Conditional Access Rule is allowing access to Office 365 services.