Create a Conditional Access Policy for Dynamics 365 Azure Apps

Follow these steps to apply Microsoft’s Conditional Access policy and define a specific IP address range to securely manage access to all your Azure applications.

Before You Begin

• Disclaimer: This procedure is performed using the Microsoft Entra admin center. The application is subject to change without notice. Consult Microsoft documentation, for example, see Microsoft Entra Conditional Access documentation.

• To complete the steps mentioned below, ensure you have the following:

  • An Azure P2 license

  • A Microsoft Entra Workload ID

  • The Policy.Read.All application permission enabled in your Azure APIs

Procedure

1. Sign in to the Microsoft Entra admin center.

2. On the navigational pane, click Conditional access.

   The Conditional access | Overview page appears.

3. On the left panel, under Manage, click Named locations.

   Named locations represent the network nodes or geographic regions from which your application can be accessed. These may include backup access nodes or other trusted infrastructure endpoints.

4. At the top of the page, click IP ranges location.

   The New IP location screen appears.

5. Enter the required details and then click Create.

   • Name: Enter a name for the IP range.

   • Mark as trusted location: Select the check box to mark the IP range as trusted.

   • button: Click the button and Enter a new IPv4 or IPv6 range, and then click Add.

     Refer to Commvault Cloud Service Endpoints IP Addresses for Microsoft 365, SaaS Apps, Google Workspace, Azure and AWS Workloads for the list of latest IP addresses.

6. On the left pane, click Policies.

   The Conditional Access | Policies page appears.

7. On the upper-left area of the page, click New policy.

   The New Conditional Access policy screen appears.

8. Enter a Name for the policy.

9. Configure the remaining required Assignments, and then click Create.

   • On the User or workload identities tab:

     1. On the Select service principals screen, choose the Azure apps you want to include in the policy, and then click Select.

        You can use the Search field to find the apps you want to add.

        

     2. Select Workload identities from the What does this policy apply to dropdown.

     3. Under Include, choose Select service principals, and then under Select, click None.

   • On the Target resources tab:

     1. Leave the Resources (formerly cloud apps) dropdown option selected.

     2. Under Include, choose the All resources (formerly 'All cloud apps') option.

   • On the Network tab:

     1. On the Select networks screen that appears, select the newly created IP range (done in step 5.) from the list of networks, and then click Save.

        

     2. Set the Configure toggle key to Yes.

     3. Under Exclude, choose the Selected network and locations option, and then under Select, click None.

   • On the Grant tab:

     1. On the Grant screen that appears, select Block access.

     2. Click Select.

   • Set the Enable policy toggle key to On.