Tip #720: Thoughts about IP restrictions for your CRM Online logins

This image is not available in your countryThere are almost daily improvements to CRM Online management facilities. Just as we managed to catch our breath after on-demand backup and restore were made available for CRM Online, we now have an ability to put trusted IP rules in place.

Even though there were numerous tweets and pingbacks about the article I thought I’d take couple minutes to clear up some misconceptions.

This is not CRM Online specific feature, this is Azure Active Directory feature. You can protect your SharePoint, Yammer, custom web apps, etc. Just follow the instructions of the original article.

In the rush to bring the news, parts of the were copied verbatim. It caused some confusion and additional questions. For example, article mentions the requirements:

  • A subscription to Azure Active Directory Premium.
  • A federated or managed Azure Active Directory tenant.
  • Federated tenants require that multi-factor authentication (MFA) be enabled.

Well, you cannot have CRM Online without a tenant so second requirement is not really a requirement. As far as the third one is concerned, I’d be very interested to hear from anyone who managed to get federated tenants with MFA working with CRM Online including all moving parts like web, API, Outlook, and mobile access.

We’ve already written about using Application Request Routing and Web Application Proxy to protect your CRM On-premises. The approaches are different though. CRM Online uses conditional access in Azure AD which enforces restrictions only during the authentication, while ARR and WAP will ensure continuous protection.

Quite frequently you will hear people referring to the feature as “geofencing” (and yours truly is not an exception). It’s a handy moniker but be aware that geofencing usually refers to location-based services and using IP addresses to perform geofencing on a wider scale (beyond known IP addresses of your offices, for example) comes with few caveats.

  • It’s unreliable at best – you are placing your trust in the information coming from elsewhere.
  • It’s dynamic in nature, and costly and difficult to maintain, especially as cloud-service providers hunt and acquire additional blocks of IP addresses all the time. Unless you’re the size of Netflix, of course.
  • As Australian census clusterfk demonstrated, while adding some additional hurdles, geofencing/geoblocking is not in itself a reliable security mechanism. (Brief, somewhat technical but accurate and trustworthy summary).

Leave a Reply

Your email address will not be published. Required fields are marked *