Protect access to Microsoft 365 with dedicated egress IPs

1. In Zero Trust Open external link , go to Gateway > Egress Policies.

2. Select Add a policy.

3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for identity conditions:

   Selector	Operator	Value
   User Group Names	in	Sales and Marketing, Retail, U.S. Sales

   Additionally, you can check for device posture conditions:

   Selector	Operator	Value	Logic
   Passed Device Posture Check	is	CrowdStrike Overall ZTA score (Crowdstrike s2s)	And
   Passed Device Posture Check	is	AppCheckMac - Required Software (Application)

4. Enable Use dedicated Cloudflare egress IPs. Select your desired IPv4 and IPv6 addresses. For example:

   Primary IPv4 address	IPv6 address
   203.0.113.0	2001:db8::/32

1. Log in to the Microsoft Azure portal Open external link .
2. In the sidebar, select Microsoft Entra ID.
3. Go to Security > Named locations.
4. Select IP ranges location.
5. Name your location, then add the IP addresses used in your Cloudflare dedicated egress IP policy.
6. Select Upload.

This named location corresponds with the locations of your dedicated egress IPs.

1. In Protect, go to Conditional Access.
2. Select Create new policy.
3. Configure which Entra ID users you want to limit access for, and which traffic, applications, or actions you want to protect.
4. In Conditions, select Locations. Enable Configure.
5. In Include, select Any location. In Exclude, select the named location you created.
6. In Access controls, go to Grant. Enable Block access.

Your policy will block access for your selected users from any location except those using your dedicated egress IPs.

1. Using WARP, sign in to your Zero Trust organization with a user’s account.
2. Go to any Microsoft 365 app within your organization. Entra ID should allow access.
3. Disconnect WARP from your Zero Trust organization. Entra ID should block access to any Microsoft 365 applications.