About Office 365 with Conditional Access (Atmos Agent)

This article describes how to deploy Microsoft Office 365 Suite with Conditional Access on the Axis Cloud using IP restriction and the Atmos Agent. Conditional Access is a feature of Azure Active Directory (Azure AD) that allows administrators to control how and when users can access applications and services.

Overview

Source IP address restriction tackles one of the typical Office 365 use cases, where users of an organization are provided conditional access to Office 365 applications. With conditional access, administrators can only allow users access to Office 365 applications as long as the traffic originates from identified trusted locations, such as a corporate network or their data centers. Administrators can also deny users access to Office 365 when they are coming from untrusted locations, such as coffee shops or other non-corporate locations.

The IP restriction is only applied to the initial user login traffic, which is redirected to the following Azure Active Directory domains:

  • login.microsoftonline.com
  • login.microsoft.com
  • login.windows.net.

Upon successful login, subsequent access to the Office 365 applications use an authentication token. Azure Active Directory Conditional Access checks for the IP address during login and if successful, all the Office 365 application traffic goes through the Axis Cloud.

Prerequisites

Before you begin:

  • Configure your Microsoft Azure Active Directory. Learn more
  • Get a license for Conditional Access for Microsoft Office 365.

Architecture

The following diagram describes how connecting to Conditional Access for Office 365 from the Axis Cloud looks like from the Atmos Agent perspective. Office 365 identifies the Axis Connector IP address as a trusted location and maps it to its configuration.

1920

Components

The following table describes the components of Microsoft Office 365 Conditional of Access, Azure Identity Provider, and Axis Security.

ComponentDescription
Atmos AgentThe Atmos Agent creates an outbound secure tunnel to the Axis Cloud. It forwards the initial user’s authentication traffic to the Axis Frontend-Web.
Identity Provider (IdP)If users are not authenticated, the Axis Cloud prompts the client to authenticate to the configured Identity Provider (IdP). If that IdP is configured for multi-factor authentication (MFA), MFA happens seamlessly.
Axis Cloud Policy Engine (Rules)Once users are authenticated, the Axis Cloud policy engine determines if the users and groups are allowed access to MS Office 365 applications.

Administrators can configure context-based rules such as device posture check, location (source), and time-of-the-day.
Axis ConnectorOnce the policy allows users to access Office 365, the Axis Cloud brokers the connections so that user traffic flows to Office 365 through the Axis Connector (s). Office 365 identifies the Axis Connector IP address as a trusted location and maps it to its configuration.
Azure Active Directory Conditional AccessConditional Access is a feature of Azure Active Directory (Azure AD) that allows administrators to control how and when users can access applications and services.

Deploying Office 365 with Conditional Access

To deploy IP restriction for Office 365 with Conditional Access with an Atmos Agent:

  1. Add Office 365 Applications with Conditional Access
  2. Apply a Rule to the Office 365 Application
  3. Configure Azure Active Directory Conditional Access