To ensure maximum security for your tenant and CoreView, we recommend the configuration of this conditional access policy. This document will guide you through the steps required to ensure that CoreView services will still be able to run properly from the data center you are hosted in, while maintaining high levels of security.

If you have Azure Active Directory Premium (part of EMS or Microsoft 365 licensing), please follow this guide which would explain to you how to configure the Conditional Access in your Azure AD environment and allow specific IP addresses for CoreView service users.  Please choose only one of the 2 methods to secure CoreView service users based on the requirements applicable on your company tenant specific case.

Note: If you use Azure AD Conditional Access, you can block legacy authentication for these accounts. If you are using Core Security (SKU: SEC), use the preview toggle for Message Trace form in CoreView.

Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges

Requirement: This process requires an Azure Active Directory Premium P1 or P2 subscription.  

Step 1 Exclude CoreView service accounts from existing policies

Step 1.1 - Login to Azure portal ( as administrator user. 

Step 1.2 - Open the Azure Active Directory blade. 

Note: If the Azure Active Directory is not present among the recently used azure services or in the dashboard, search for it in the search bar at the top of Azure Web Portal or click on more services: 



Step 1.3 - Go to Security Category and Open “Conditional Access”: 



The “Conditional Access – Policies” menu will be opened: 


If you have any policy that enforces MFA on the admin account, you must exclude CoreView service users from it. 

Step 1.4 - Click on the policy name to open its details. Click on Users and Groups under Assignment, then the Exclude tab on the right side. 

Step 1.5 - Check the box for "Users and Groups" the Select excluded users pane, search for the CoreView service user(s).  

Note: The number of service users depends on the size of your tenant. The rules for the names are:

  • coreview.reports<randomnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain>


Step 1.6 - Click on a user to select it, and it will appear in the “Selected items” area below the search. Perform this action for all CoreView service users and press blue “Select” button. The "Select excluded users" menu will close.

Click the “Save” button on the left side of the window to save your policy changes.  

Now we can proceed, and setup allowed IP addresses for those users.

Step 2 Create named location and add IP addresses

Step 2.1 - A new “Named Location” must be created. Select “Named locations” under “Manage” section and click on “+ IP ranges location”: 




Step 2.2 - Insert the name for the location (Recommended: CoreView <region form> Platform IPs) and all IP addresses with the subnets in the table below. Once the list is complete, click "Create".


Note: We have used European data center’s IP addresses for this example.

Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses, below. These addresses are in use exclusively by CoreView. 

Note: you can check the “Mark as trusted location” for a lower user sign-in risk. 

Azure CCC (EU)

Azure CCC (US East)

Azure CCC (Canada East)

Azure GCC (US East)

NOTE: Please note that if you have configured a hybrid agent, you need to ensure that you include in the list of trusted IP addresses the IP address of the hybrid agent when making a request. Failing to include this information will result in your CoreView tenant being unable to open any management sessions.

Step 3 Create a new policy for CoreView service accounts

Step 3.1 - A new policy must be created. Select “Policy” and click on “New Policy”. 



Step 3.2 Insert the new Policy. 

Insert the name of the policy (Example: Safelist CoreView endpoints) and add all CoreView service users and cloud applications. To do that, we will make edits to the areas under Assignments. First click on “Users and groups”.

In the “Include” tab select “Users and groups” and press on “Select”. From the select bar search for all CoreView service users and add them as the policy members.  Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain> 
  • coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 



Press the “Select” button to select the users for the policy.   

In the "Cloud apps or actions" section, click on “No cloud apps or actions selected”. Choose “All cloud apps” in the “Include” tab as shown in the screenshot. "No cloud apps or actions selected" will change to say "All cloud apps". 



In the “Conditions” section you must include all locations and exclude the location created previously, so click on "0 conditions selected" and then "Locations”. Set “Configure” toggle to “Yes”.




In the “Include” tab of  the “Locations” blade set “Any location” as shown in the screenshot above. 

In the “Exclude” tab of the “Locations” blade, ensure "Selected locations" is selected and click on "None". Search for the location created previously in order to set it to be excluded.

Check the location and press “Select”. 

Under the “Access Controls” section, click "0 controls selected" under "Grant". 


In this step we recommend blocking the access. Select “Block access” option and press “Select”




Alternatively, you can enable the Multi-Factor Authentication for CoreView service users from non-excluded IP addresses. To do that choose “Grant access” in the “Grant” blade and check “Require multi-factor authentication”: 


As the last step, enable this policy and “Create”. 



Now the policy is listed in “Conditional Access – Policies”  




Method 2: Without Azure Active Directory P1

If you have only Office365 E1 licenses (or above) and do not have Azure AD Premium P1 (or above), this guide will show you how to disable Multifactor Authentication for CoreView service users.

1. How to Disable MFA for CoreView Service Accounts

Step 1.1 - Login to Admin Office 365 portal ( 

Step 1.2 - In the navigation menu navigate to “Users” – “Active Users”  


Step 1.3 - Click on any active user.    

The user properties tab will appear on the right of your screen. Scroll down and click on “Manage multifactor authentication”  



Step 1.4 - Disable MFA for CoreView Service Accounts. 

You should disable  the Multifactor Authentication to CoreView service users. To do that, click on the magnifying glass to open the search field.


Search for and select all service users and click on “Enable” in the property menu. 

Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain>
  • coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 

If they already have the status as "Disabled", then you do not need to make any changes.


If the status is set to "Enabled", then select the users that need to be disabled and click the "Disable" option on the right side of the screen.



Another window will open, confirming your choice. Click "yes" to disable multi-factor authentication.



Close the confirmation window.

 You have now completed the process. 

Duplicate Article Here: How to Configure Allowed IP Addresses for CoreView Service Accounts (MFA Enabled) :