Recommended Security Practices for Azure Apps Configuration to Protect M365, D365 or EntraID Workloads

As part of our commitment to ensuring the highest level of security for your digital assets, we recommend:

Using the custom configuration of Azure Apps for M365, D365, and Entra ID backups.
Applying Microsoft's Conditional Access policy and define a specific range of IP addresses to securely control access to all your Azure apps that are created for M365, D365, and Azure AD backup.
Changing your client secret every 90 days in the Azure portal and update it within the Command Center.

Implementing these practices will help safeguard your data and enhance the overall security of your applications.

The steps described below will guide you on applying Microsoft's Conditional Access policy and define a specific range of IP addresses to securely control access to all your Azure apps. To use the custom configuration of Azure apps or on guidance on how to change your client secret, please refer the Related Topics section.

Symptoms

Resolution

To complete the steps mentioned below, ensure you have:

Azure P2 license
Microsoft Entra Workload ID

Procedure:

Log in to Microsoft Entra admin center.
On the navigation pane click Conditional access. The Conditional Access | Overview page appears.
On the left panel, under Manage, click Named location. Named locations are the nodes from where, you want to app to be accessed. This can be backup access nodes.
At the top of the page, click IP ranges location. The New location (IP ranges) screen appears.
Enter the required details and then click Create.
- Name: Enter a name for the IP range.
- Mark as trusted location: Select the check box to mark the IP range as trusted.
- button: Click the button and Enter a new IPv4 or IPv6 range, and then click Add. Please refer to Commvault Cloud Service Endpoints IP Addresses for Microsoft 365, SaaS Apps, Google Workspace, Azure and AWS Workloads for the list of latest IP addresses.
On the left pane, click Policies. The Conditional Access | Policies page appears.
On the upper-left area of the page, click New policy. The New Conditional Access policy screen appears.
Enter a Name for the policy.
Configure the remaining required Assignments, and then click Create.
- On the User or workload identities tab: 4. On the Select Service principals screen, choose the Azure apps you want to include in the policy, and the click Select. You can use the Search field to find the apps you want to add.
  1. Select Workload identities from the What does this policy apply to dropdown.
  2. Under Include, choose Select service principals, and then under Select, click None.
- On the Target resources tab:
  1. Leave the Resources (formerly cloud apps) dropdown option selected.
  2. Under Include, choose the All resources (formerly 'All cloud apps') option.
- On the Network tab: 4. On the Select networks screen that appears, select the newly created IP range (done in step 5.) from list of networks, and then click Save.
  1. Move the Configure toggle key to Yes.
  2. Under Exclude, choose the Selected network and locations option, and then under Select, click None.
- On the Grant tab:
  1. On the Grant screen that appears, select Block access,
  2. Click Select.
- Move the Enable policy toggle key to On.

Once the policy is created, the Policy impact (Preview) will be available after 7 days under the newly created policy. You can also configure alerts for any blocked sign-in attempts in this Conditional Access policy and Azure apps.

Related Topics:

To create a custom Office 365 app in the Command Center, see:

To change your client secret for your Office 365 app, see: