CAS block TOR browser (anonymous IP)

by | May 25, 2021 | Technology | 0 comments

This article is contributed. See the original author and article here.

Hi all, Alan here again with a new article, I’m a Customer Engineer from Italy on Identity and Security.


In the past months I had several customers requesting about how to block sign-in from anonymous IP Addresses, one example would be someone using TOR Browser. So I thought this would help understand how to achieve this. 


 


To do this we will use Azure AD “Conditional Access policy” with Session Control together with “Cloud App Security Conditional Access App Control”. Well yes sound the same but are quite different. Let’s see the details.


 


You will need access to you tenant’s Azure AD (portal.azure.com) and Cloud App Security (mycompany. portal.cloudappsecurity.com).


Thirst thing to do is create an Azure AD Conditional Access policy:


1. Navigate to your Azure Active Directory


2. Under Manage click on Security


Immagine1.png


Immagine3.png


3. Click on Conditional Access


4. Select New Policy


Immagine4.png


5. Give it a Name


6. Select to which users will apply


7. Select the cloud application, for this demo I will select Office 365


Immagine5.png


8. Go to Session and select Use Conditional Access App Control


9. Select Use Custom Policy


Immagine6.png


10. Click Select


11. Enable the policy and click Create


Immagine7.png


 


Once this is done the first time users log in Office 365 suite the application will be integrated in Cloud App Security


 


Open Cloud App Security portal : https://mycompany. portal.cloudappsecurity.com


 


On the top right side you have the configuration wheel, click and select “IP Address ranges” as shown below


 


Immagine8.png


One this interesting is that if you filter for one of the following Tags “Tor, Anonymous Proxy or Botnet” you will see it matches the following rule


Immagine9.png


So CAS has the “intelligence” to know which are these suspicious IP Addresses or networks


Here some more details Create anomaly detection policies in Cloud App Security | Microsoft Docs



  • Activity from anonymous IP addresses

  • Activity from suspicious IP addresses, Botnet C&C

  • Activity from a TOR IP address


 


So back to our Connected Apps:


1. Go to Connected Apps


Immagine10.png


2. In the middle pane you will have three tabs, select “Conditional Access App Control apps”.


Below you will have a list of applications for which you can start creating CAS policies


Immagine11.png


3. Now browse to Control menu and select “Policies”


Immagine13.png


4. Select “ + Create policy”


Immagine14.png


Immagine15.png


5. The important part here is FILTERS and ACTIONS


Immagine16.png


 6. Click on Create in order to create the policy and it will show it in the list


Immagine17.png


7. Access Office portal from the TOR Browser (use a valid user account from your Azure AD)


Immagine18.png


you will get the following error showing that you were blocked


Immagine19.png


 


Hope this article gives some hints on how to use Cloud App Security which I think is a great tool, simple and powerful and can really help enhance your security posture.


 


Have a good read :


Alan @CE


Customer Engineer – Microsoft Italy


 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment