Open a Support Case My Support Cases
Welcome
Login  Sign up

How to Configure Allowed IP Addresses for CoreView Service Accounts (MFA Enabled)

OverView

If you have Azure Active Directory Premium (part of EMS or Microsoft365 licensing), please follow this guide which would explain you how to configure the Conditional Access in your AzureAD environment and allow specific IP addresses for CoreView service users.  Please choose only one of the 2 methods to secure CoreView service users based on the requirements applicable on your company tenant specific case.

  • Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges 
  • Method 2: Without Azure Active Directory P1 

Important: CoreView Service accounts must not require multi-factor authentication (MFA) because the Microsoft Rights Management administration tool does not support MFA for this account. In addition, if you use Azure AD Conditional Access, do not block legacy authentication for these accounts. 


Method 1: CoreView Data Center IP Address Ranges 

Requirement: to make this setup, the Azure Active Directory Premium P1 or above is mandatory.  


Step 1.1 - Login to Azure portal (portal.azure.com) as administrator user. 


Step 1.2 - Open the Azure Active Directory blade. 


 


Note: If the Azure Active Directory is not present in your favorites or in the dashboard, search for it in the search bar at the top of Azure Web Portal: 


 


Step 1.3 - Open “Conditional Access” under security section: 


 


The “Conditional Access – Policies” menu will be opened: 


 


Important: We suggest disabling “Baseline policy: Require MFA for admins” and manage the MFA access separately. In alternative you can exclude the CoreView service users from it.  To do that, click on “Baseline policy: Require MFA for admins” policy under “Policies” menu: 


 



Select the “Do not use policy” option in the policy menu and save the changes:



If you decide to keep this policy, you must exclude CoreView service users from it. Click on “Exclude Users” at the bottom of the left column – “Select excluded users” – search for the CoreView service user in the “Select” bar.  Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomnumber>@<onmicrosoft domain> or coreview.reports<randomnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain>

 


When you click on a user after select, it will appear in the “Selected members” column. Perform this action for all CoreView service users and press blue “Select” bottom. “Select excluded users” menu will disappear. Press on “Done” bottom in “Users” menu and “Save” bottom in the policy menu.  Now we can proceed, and setup allowed IP addresses for those users.


Step 1.4 - A new “Named Location” must be created. Select “Named locations” under “Manage” section and click on “New location”: 

 

 

Step 1.5 - Insert the name for the location (Recommended: CoreView <region form> Platform IPs) and all IP addresses with the subnets as on the screenshot: 


 

Note: We have used European data center’s IP addresses for the example.


Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses, below. Note: you can check the “Mark as trusted location” for a lower user sign-in risk. 

Azure CCC (EU) 

52.178.220.169/32


13.79.166.132/32


52.164.205.60/32


40.69.61.123/32


191.239.215.199/32


 20.191.46.79

Azure CCC (US East) 

52.225.217.154/32  


104.209.147.75/32  


40.70.44.94/32  


137.116.90.35/32 


52.225.222.18/32


40.65.233.115

Azure CCC (Canada East)

52.229.116.78/32


40.69.100.107/32


52.242.35.38/32


52.242.126.90/32


52.235.47.42/32


52.155.24.77

Azure GCC (US East) 

13.72.21.184/32


52.247.175.28/32

13.72.21.53/32

52.247.150.99/32

52.227.178.31/32

52.227.179.120/32

52.227.221.240

 

Click on “Create”.


Step 2.1 - A new policy must be created. Select “Policy” and click on “New Policy”. 


 


Step 2.2 - Insert the new Policy. 

Insert the name of the policy (Example: Whitelist CoreView endpoints), all CoreView service users and cloud applications.  To do that, choose “Users and groups”, in the “Include” tab select “Users and groups” and press on “Select”. From the select bar search for all CoreView service users and add them as the policy members.  Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain> or coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 

            

 


Press “Select” and “Done”.   Under “Assignments” select “Cloud apps”. Choose “All cloud apps” in the “Include” tab as shown in the screenshot:  


 


Press “Done”. In the “Conditions” you must include all locations and exclude the location created previously. 

Go to “Conditions” – “Locations”. Set “Configure” option to “Yes”

 

 

 

 

In the “Include” tab of “Locations” blade set “Any location” as shown in the screenshot above and in the “Exclude” tab of “Locations” blade you must exclude the location created previously.  


 

 

Check the location and press “Select”, “Done”, “Done.”  Under “Access Controls” section, select “Grant” menu. In this step we recommend blocking the access.  Select “Block access” option and press “Select” bottom.


 

 

In alternative you can enable the Multi-Factor Authentication for CoreView service users from not excluded IP addresses. To do that choose “Grant access” option in the “Grant” blade and check the “Require multi-factor authentication”: 

 

 


As the last step, enable this policy and “Create”. 


 


Now the policy is listed in “Conditional Access – Policies”  


 

3. How to configure MFA for CoreView Service Accounts and whitelist CoreView datacenter’s IP addresses. 

If you have only Office365 E1 licenses (or above) this guide will show you how to enable MultiFactor Authentication for CoreView service users and whitelist CoreView datacenter’s IP addresses. 


Step 3.1 - Login to Admin Office 365 portal (https://admin.microsoft.com) 


Step 3.2 - In the navigation menu navigate to “Users” – “Active Users”  


 


Step 3.3 - Click on any active user.    

The user properties tab will appear on the right of your screen. Scroll down and click on “Manage multifactor authentication”  

 

 


Step 3.4 - Enforce MFA for CoreView Service Accounts. 

You should Enforce the Multifactor Authentication to CoreView service users. To do that, select all service users and click on “Enable” in the property menu. 

Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain> or coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 

 

On the informative pop-up, chose “Enable multi-factor auth”.  Select all CoreView service users for the second time. Now “Enforce” will be available as the option.  

 

 

Step 3.5 - To exclude the CoreView Datacenters from Multi-Factor Authentication you must add interested IP addresses in the exclusion list.  


Go to “Service Settings” of Multi-Factor Authentication: 


 

Insert CoreView Data Center’s IP addresses in the “Trusted IPs” section: 


 

 

 

Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses:                           

Azure CCC (EU) 

52.178.220.169/32


13.79.166.132/32


52.164.205.60/32


40.69.61.123/32


191.239.215.199/32


 20.191.46.79

Azure CCC (US East) 

52.225.217.154/32  


104.209.147.75/32  


40.70.44.94/32  


137.116.90.35/32 


52.225.222.18/32


 40.65.233.115

Azure CCC (Canada East)

52.229.116.78/32


40.69.100.107/32


52.242.35.38/32


52.242.126.90/32


52.235.47.42/32


 52.155.24.77

Azure GCC (US East) 

13.72.21.184/32


52.247.175.28/32


13.72.21.53/32


 52.247.150.99/32

 52.227.178.31/32

 52.227.179.120/32

 52.227.221.240

 

Note: just add a needed data center’s IP addresses.         

             

Save the changes! 



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.