Azure IP Whitelisting for SSO Attempts.

GGHC
GGHC used Ask the Experts™
on
We use an IdP (Onelogin) for SSO with Azure. Ever since we started with Azure there has been unauthorized login attempts cause user lockouts on Onelogin side.  I need to whitelist the IPs on Azure side that are able to send SSO login attempts.
We want to request to go to SSO but only if it meets the IP whitelisting first.
Azure/Onelogin uses WS-Trust for Authentication.
I checked with Onelogin, they don't offer anything that would prevent an authentication attempt based on IP for a WS-Trust auth from Azure.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
You can use azure conditional access policy where you can block access attempts from all IPs except whitelisted IPs

IP whitelisting can be found under Azure MFA advanced properties \ settings

they call it as trusted IPs
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

conditional access policies do need azure premium licenses
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Author

Commented:
Thanks.
I want to add a better description of what is being used in Azure.  We are using Office 365 which includes the Azure AD (Free version).

My scenario is a little bit different because I do use a 3rd party IdP for SSO. I am looking for something on the Azure/Office side to prevent an SSO attempt unless the client IP is with our IP Whitelisting on Azure/Office  (which is what I'm trying to find out if possible)
Architect
Distinguished Expert 2018
Commented:
Azure has full suite of features to restrict access but you need to use azure native technology only for that
As soon as 3rd party IDP sso tools came in between you need to rely on their end to control access on those sso tools because azure cannot control those

Author

Commented:
I called The Office365 support and that is exactly what they said. I may consider using local adfs just for Office Apps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial