Open a Support Case My Support Cases
Welcome
Login  Sign up

How to Configure Allowed IP Addresses for CoreView Service Accounts (MFA Enabled)

OverView

If you have Azure Active Directory Premium (part of EMS or Microsoft365 licensing), please follow this guide which would explain you how to configure the Conditional Access in your AzureAD environment and allow specific IP addresses for CoreView service users.  Please choose only one of the 2 methods to secure CoreView service users based on the requirements applicable on your company tenant specific case.

Important: CoreView Service accounts must not require multi-factor authentication (MFA) because the Microsoft Rights Management administration tool does not support MFA for this account. In addition, if you use Azure AD Conditional Access, do not block legacy authentication for these accounts. 



Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges

Requirement: This process requires an Azure Active Directory Premium P1 or P2 subscription.  



Step 1 Exclude CoreView service accounts from existing policies


Step 1.1 - Login to Azure portal (portal.azure.com) as administrator user. 


Step 1.2 - Open the Azure Active Directory blade. 



Note: If the Azure Active Directory is not present among the recently used azure services or in the dashboard, search for it in the search bar at the top of Azure Web Portal or click on more services: 


 


         

Step 1.3 - Go to Security Category and Open “Conditional Access”: 


 


         

The “Conditional Access – Policies” menu will be opened: 


 


If you have any policy that enforces MFA on admin account, you must exclude CoreView service users from it. 


Step 1.4 - Click on the policy name to open its details. Click on Users and Groups under Assignment, then the Exclude tab on the right side. 



Step 1.5 - Check the box for "Users and Groups" the Select excluded users pane, search for the CoreView service user(s).  

Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomnumber>@<onmicrosoft domain>
  • coreview.reports<randomnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain>


 


Step 1.6 - Click on a user to select it, and it will appear in the “Selected items” area below the search. Perform this action for all CoreView service users and press blue “Select” button. The "Select excluded users" menu will close.

Click the “Save” button on the left side of the window to save your policy changes.  

Now we can proceed, and setup allowed IP addresses for those users.



Step 2 Create named location and add IP addresses


Step 2.1 - A new “Named Location” must be created. Select “Named locations” under “Manage” section and click on “+ IP ranges location”: 

 

 


              

Step 2.2 - Insert the name for the location (Recommended: CoreView <region form> Platform IPs) and all IP addresses with the subnets in the table below. Once the list is complete, click "Create".


 

Note: We have used European data center’s IP addresses for the example.


Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses, below. Note: you can check the “Mark as trusted location” for a lower user sign-in risk. 


Azure CCC (EU) 52.178.220.169/32

13.79.166.132/32

52.164.205.60/32

40.69.61.123/32

191.239.215.199/32

20.191.46.79/32
Azure CCC (US East) 52.225.217.154/32  

104.209.147.75/32  

40.70.44.94/32  

137.116.90.35/32 

52.225.222.18/32

40.65.233.115/32
Azure CCC (Canada East)52.229.116.78/32

40.69.100.107/32

52.242.35.38/32

52.242.126.90/32

52.235.47.42/32

52.155.24.77/32
Azure GCC (US East) 13.72.21.184/32

52.247.175.28/32

13.72.21.53/32

52.247.150.99/32

52.227.178.31/32

52.227.179.120/32

52.227.221.240/32



Step 3 Create a new policy for CoreView service accounts


Step 3.1 - A new policy must be created. Select “Policy” and click on “New Policy”. 


 


         

Step 3.2 - Insert the new Policy. 

Insert the name of the policy (Example: Whitelist CoreView endpoints) and add all CoreView service users and cloud applications. To do that, we will make edits to the areas under Assignments. First click on “Users and groups”.


In the “Include” tab select “Users and groups” and press on “Select”. From the select bar search for all CoreView service users and add them as the policy members.  Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain> 
  • coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 

            

 


Press the “Select” button to select the users for the policy.   


In the "Cloud apps or actions" section, click on “No cloud apps or actions selected”. Choose “All cloud apps” in the “Include” tab as shown in the screenshot. "No cloud apps or actions selected" will change to say "All cloud apps". 


 


         

In the “Conditions” section you must include all locations and exclude the location created previously, so click on "0 conditions selected" and then "Locations”. Set “Configure” toggle to “Yes”.

 

 

 

In the “Include” tab of  the “Locations” blade set “Any location” as shown in the screenshot above. 

In the “Exclude” tab of the “Locations” blade, ensure "Selected locations" is selected and click on "None". Search for the location created previously in order to set it to be excluded.



Check the location and press “Select”. 


Under the “Access Controls” section, click "0 controls selected" under "Grant". 


           

In this step we recommend blocking the access. Select “Block access” option and press “Select”

 

 

             

Alternatively, you can enable the Multi-Factor Authentication for CoreView service users from non-excluded IP addresses. To do that choose “Grant access” in the “Grant” blade and check “Require multi-factor authentication”: 



        

As the last step, enable this policy and “Create”. 

 

        


Now the policy is listed in “Conditional Access – Policies”  




                   

                   

                   

Method 2: Without Azure Active Directory P1

If you have only Office365 E1 licenses (or above) and do not have Azure AD Premium P1 (or above), this guide will show you how to disable MultiFactor Authentication for CoreView service users.




1. How to Disable MFA for CoreView Service Accounts


Step 1.1 - Login to Admin Office 365 portal (https://admin.microsoft.com) 


Step 1.2 - In the navigation menu navigate to “Users” – “Active Users”  


 


Step 1.3 - Click on any active user.    

The user properties tab will appear on the right of your screen. Scroll down and click on “Manage multifactor authentication”  

 

 


Step 1.4 - Disable MFA for CoreView Service Accounts. 

You should disable  the Multifactor Authentication to CoreView service users. To do that, click on the magnifying glass to open the search field.


         


Search for and select all service users and click on “Enable” in the property menu. 

Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomicnumber>@<onmicrosoft domain>
  • coreview.reports<randomicnumber>@<onmicrosoft domain> 
  • 4ward365.admin@<onmicrosoft domain> 


If they already have the status as "Disabled", then you do not need to make any changes.



           

If the status is set to "Enabled", then select the users that need to be disabled and click the "Disable" option on the right side of the screen.


         

         

Another window will open, confirming your choice. Click "yes" to disable multi-factor authentication.

        

         

Close the confirmation window.


 You have now completed the process. 


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.