Enable compliant network check with Conditional Access

Organizations that use Conditional Access along with Global Secure Access can prevent malicious access to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) apps by using multiple conditions to provide defense-in-depth. These conditions might include strong factor authentication, device compliance, location, and others. Enabling these conditions protects your organization against user identity compromise or token theft. Global Secure Access introduces the concept of a compliant network within Microsoft Entra ID Conditional Access. This compliant network check ensures users connect through the Global Secure Access service for their specific tenant and are compliant with security policies enforced by administrators.

By using the Global Secure Access client installed on devices or users behind configured remote networks, administrators can secure resources behind a compliant network by using advanced Conditional Access controls. This compliant network feature makes it easier for administrators to manage access policies without having to maintain a list of egress IP addresses. It also removes the requirement to hairpin traffic through your organization's VPN to maintain source IP anchoring and apply IP-based Conditional Access policies. For more information, see What is Conditional Access?

Compliant network check enforcement

Compliant network enforcement reduces the risk of token theft and replay attacks. Microsoft Entra ID performs authentication plane enforcement at the time of user authentication. If an adversary steals a session token and attempts to replay it from a device that isn't connected to your organization's compliant network (for example, by requesting an access token with a stolen refresh token), Microsoft Entra ID immediately denies the request and blocks further access. Data plane enforcement works with services integrated with Global Secure Access that support Continuous Access Evaluation (CAE), such as Microsoft Graph. By using apps that support CAE, stolen access tokens that are replayed outside your tenant's compliant network are rejected by the application in near-real time. Without CAE, a stolen access token remains valid for its full lifetime (default is between 60 and 90 minutes).

This compliant network check is specific to the tenant in which you configure it. For example, if you define a Conditional Access policy requiring compliant network in contoso.com, only users with Global Secure Access or with the Remote Network configuration can pass this control. A user from fabrikam.com can't pass contoso.com's compliant network policy.

The compliant network is different from IPv4, IPv6, or geographic locations you might configure in Microsoft Entra. Administrators don't need to review and maintain compliant network IP addresses or ranges, which strengthens the security posture and minimizes the administrative overhead.

Prerequisites

• Administrators who interact with Global Secure Access features must have one or more of the following role assignments depending on the tasks they're performing:
  • The Global Secure Access Administrator role to manage the Global Secure Access features.
  • The Conditional Access Administrator role to enable Global Secure Access signaling for Conditional Access, and to create and interact with Conditional Access policies and named locations.
• The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.

Known limitations

For detailed information about known issues and limitations, see Known limitations for Global Secure Access.

Enable Global Secure Access signaling for Conditional Access

To enable the setting that allows the compliant network check, an administrator must take the following steps.

1. Sign in to the Microsoft Entra admin center with an account that has the Global Secure Access Administrator and Conditional Access Administrator roles activated.

2. Browse to Global Secure Access > Settings > Session management > Adaptive access.

3. Select the toggle to Enable Conditional Access Signaling for Microsoft Entra ID.

   

4. Browse to Entra ID > Conditional Access > Named locations.

   1. Confirm you have a location called All Compliant Network locations with location type Network Access. You can optionally mark this location as trusted.

Protect your resources behind the compliant network

Use the compliant network Conditional Access policy to protect your Microsoft and third-party applications that use Microsoft Entra ID single sign-on. A typical policy blocks all network locations except compliant networks. The following example shows how to configure this policy type:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Entra ID > Conditional Access.
3. Select Create new policy.
4. Enter a name for your policy. Create a meaningful standard for the names of your policies for your organization.
5. Under Assignments, select Users or workload identities.
   1. Under Include, select All users.
   2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
6. Under Target resources > Include, select All resources (formerly 'All cloud apps').
   1. If your organization enrolls devices into Microsoft Intune, exclude the applications Microsoft Intune Enrollment and Microsoft Intune from your Conditional Access policy to avoid a circular dependency.
7. Under Network:
   1. Set Configure to Yes.
   2. Under Include, select Any location.
   3. Under Exclude, select the All Compliant Network locations location.
8. Under Access controls:
   1. Grant, select Block Access, and select Select.
9. Confirm your settings and set Enable policy to On.
10. Select Create to enable your policy.

Mobile app support

The Global Secure Access mobile app is part of the Defender app. You need to add exclusions to make sure the Defender client can access the resources it needs. To exclude Defender resources from Conditional Access policies, see Microsoft Defender mobile app exclusion from Conditional Access policies.

For more information, see Mobile resources for Microsoft Defender for Endpoint.

User exclusions

Conditional Access policies are powerful tools. We recommend excluding the following accounts from your policies:

• Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario where all administrators are locked out, your emergency access administrative account can be used to sign in and recover access.
  • More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
• Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are noninteractive accounts that aren't tied to any specific user. They're typically used by backend services to allow programmatic access to applications, but they're also used to sign in to systems for administrative purposes. Calls made by service principals aren't blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies that target service principals.
  • If your organization uses these accounts in scripts or code, replace them with managed identities.

Try your compliant network policy

1. On an end-user device with the Global Secure Access client installed and running, browse to https://myapps.microsoft.com or any other application that uses Microsoft Entra ID single sign-on in your tenant.
2. Pause the Global Secure Access client by right-clicking the application in the Windows tray and selecting Disable.
3. After disabling the Global Secure Access client, access another application integrated with Microsoft Entra ID single sign-on. For example, you can try signing in to the Azure portal. Microsoft Entra ID Conditional Access blocks your access.

Next steps

Universal Tenant Restrictions