Restrict Web Traffic to only allow MSFT SSO emails through Entra ID

Question

Hello!

We have a requirement which only allows authenticated SSO entra id @microsoft.com email addresses to access lower environments. This will stop unwanted traffic to our lower website environments.

We're onboarding Azure Front Door as our CDN right now, is there a no-code or low-code way to only allow our lower environment Azure Front Door setups to only allow person@microsoft.com emails to see content?

Thanks,

Jack

Accepted Answer

@Jack Jin MSFT Accenture ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see Sedat SALMAN had addressed your queries.

Natively, Azure Front Door does not have the capacity to authenticate users with Entra.

Users are required to make use of the Application (backend) to validate and authenticate the requests.

Please Accept the answer and close the thread if it helped.

Original posters help the community find answers faster by identifying the correct answer.

Cheers,

Kapil

Answer

Create a policy in Microsoft Entra Identity requiring users to have "@microsoft.com" addresses to access the desired applications/environments

https://video2.skills-academy.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa?bc=%2Fazure%2Factive-directory%2Fconditional-access%2Fbreadcrumb%2Ftoc.json&toc=%2Fazure%2Factive-directory%2Fconditional-access%2Ftoc.json#create-a-conditional-access-policy

Use the Azure Front Door rules engine to check the user's authentication token. Deny traffic if the email in the token doesn't end in "@microsoft.com"

https://video2.skills-academy.com/en-us/azure/frontdoor/front-door-rules-engine

Share via

Restrict Web Traffic to only allow MSFT SSO emails through Entra ID

1 additional answer