Creating a conditional access policy

You need to configure a conditional access policy to restrict users from directly accessing Microsoft 365 applications.

Steps

  1. If you are not already in Azure, sign into the Azure Portal with an Azure administrator account.
  2. Navigate to Microsoft Entra ID > Security > Conditional Access.
  3. Click Create new policy.


  4. On the New Conditional Access policy page, enter a Name for the policy.
  5. Under Assignments, select the Users and groups to be blocked from direct access.
    1. Click Users.
    2. On the Include tab, select the Select users and groups option.
    3. Check the Users and groups checkbox and then select at least one user or group to be blocked. Ensure to exclude Admin user.
  6. Under Assignments, select the Target resources to be blocked. The Microsoft cloud applications you select here will be blocked from direct access.
    1. Click Target resources.
    2. Select Cloud apps from the Select what this policy applies to drop-down.
    3. Under Include, select Select apps to choose specific Microsoft cloud applications, such as Office 365, Outlook, or Teams to block. Choose all applications you wish to restrict direct access to.
  7. Under Assignments, add a condition to exclude the Forcepoint ONE SSE IP ranges:
    1. Click Conditions.
    2. Click Locations.
    3. Under Configure, click Yes.
    4. Under Exclude, select the named location you created.
  8. Under Access controls, click Grant and then select Block access.
    This will block access to all locations, except for the excluded named locations selected above.
  9. Under Enable policy, click On.
  10. Click Create.
    Once you have created conditional access policy, you may need to wait around 15 minutes to allow policy sync across the internet. Based on the conditional access policy you created, direct access to Microsoft 365 applications is restricted.