Protect access to Microsoft 365 with dedicated egress IPs
This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs.
You can map a named location in Microsoft Entra ID to a location associated with your dedicated egress IPs. Traffic will egress from Cloudflare with these IP addresses. If users attempt to access your Microsoft applications without these IPs, Entra ID will block access.
Make sure you have:
- In Cloudflare, a Zero Trust Enterprise plan with dedicated egress IPs
- In Microsoft 365, an organization managed with Microsoft Entra ID ↗
-
In Zero Trust ↗, go to Gateway > Egress Policies.
-
Select Add a policy.
-
Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for identity conditions:
Selector Operator Value User Group Names in Sales and Marketing
,Retail
,U.S. Sales
Additionally, you can check for device posture conditions:
Selector Operator Value Logic Passed Device Posture Check is CrowdStrike Overall ZTA score (Crowdstrike s2s)
And Passed Device Posture Check is AppCheckMac - Required Software (Application)
-
Enable Use dedicated Cloudflare egress IPs. Select your desired IPv4 and IPv6 addresses. For example:
Primary IPv4 address IPv6 address 203.0.113.0
2001:db8::/32
- Log in to the Microsoft Azure portal ↗.
- In the sidebar, select Microsoft Entra ID.
- Go to Security > Named locations.
- Select IP ranges location.
- Name your location, then add the IP addresses used in your Cloudflare dedicated egress IP policy.
- Select Upload.
This named location corresponds with the locations of your dedicated egress IPs.
- In Protect, go to Conditional Access.
- Select Create new policy.
- Configure which Entra ID users you want to limit access for, and which traffic, applications, or actions you want to protect.
- In Conditions, select Locations. Enable Configure.
- In Include, select Any location. In Exclude, select the named location you created.
- In Access controls, go to Grant. Enable Block access.
Your policy will block access for your selected users from any location except those using your dedicated egress IPs.
- Using WARP, sign in to your Zero Trust organization with a user’s account.
- Go to any Microsoft 365 app within your organization. Entra ID should allow access.
- Disconnect WARP from your Zero Trust organization. Entra ID should block access to any Microsoft 365 applications.