Entra ID Conditional Access

To limit access to your web application so that notifications can only be sent from your internal network and Azure App Service, you can utilize Conditional Access policies in Microsoft Entra ID. Here are some steps to consider:

1. Public IP Address: As you mentioned, you can create a Conditional Access policy that includes your organization's public IP address. This will restrict access to users connecting from that IP range.
2. Azure App Service: For Azure App Service, you can implement location-based Conditional Access policies. This allows you to define named locations that include the IP ranges used by Azure services. You can mark these locations as trusted, which can help in managing access from Azure App Service.
3. Authentication Context: If your application is using the on-behalf-of flow or accessing multiple services, ensure that you implement the necessary code to support Conditional Access policies. This may involve using the Microsoft Authentication Library (MSAL) to handle token requests appropriately.
4. Testing Policies: After setting up your Conditional Access policies, test them to ensure that they are functioning as expected. You can adjust conditions or settings based on the results of your testing.

By combining these strategies, you can effectively limit access to your application based on the source of the request, ensuring that only authenticated users from your internal network and Azure App Service can send notifications.

References:

• Authorize applications, resources, and workloads with Microsoft Entra ID
• Plan a Microsoft Entra application proxy deployment