This article is a step-by-step guide through the prerequisites and process for establishing IPLockdown for your Teams Private Chat migration.
These steps must be completed after your source and destination environment configuration. Keep in mind that you cannot complete your migration project without meeting the prerequisites and completing this configuration.
Prerequisites
Before proceeding with the configuration process, please ensure the following prerequisites are met:
- The migration service account must have a Microsoft Entra ID P1 license and be assigned the Admin role.
- The source tenant must have the MigrationWiz-PCH-FullControl app installed and the destination tenant must have the MigrationWiz-PCH-DelegateAccess app installed.
- Ensure that the Security defaults are disabled for both the source and destination tenants.
- Tenants must rely exclusively on Conditional access for security management. For more information please review this Microsoft blog.
IPLockDown Whitelisting
Once the prerequisites have been met, you will need to enable conditional access and whitelist your IPs.
Enable Conditional Access
Follow the steps below to enable conditional access in the Microsoft Entra admin center. For more information, you can review this Microsoft article.
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity > Overview > Properties.
- Click Manage Security defaults.
- Set Security defaults to Disabled.
- Click Save.
Whitelist your IPs with Azure Portal
Whitelist your IPs by creating a named location and setting the conditional access policy. Please review the information below and proceed accordingly.
These steps must be completed through the Azure Portal by searching for Microsoft Entra ID.
Create a Named Location
- Navigate to Manage > Security from the Microsoft Entra ID pane.
- In the Security tab navigate to Protect > Conditional Access and select Named locations.
- Click the + IP ranges locations.
- When the Update location (IP ranges) window opens, click Download to download the template.
- Open the .csv file and add your IP addresses.
Tip
When adding the IPs in the ranges in bulk through the downloaded .csv file or one by one with the + option, they must have a "/32" suffix.
- Save the .csv file.
- Upload the IP Ranges by clicking Upload and selecting the .csv file you populated.
- Click Upload.
- Name your Named Location.
Tip
We recommend creating one per worker, making it easier to track. - Click Save.
Setting the Conditional Access Policy
- Navigate to Manage > Security from the Microsoft Entra ID pane.
- In the Security tab navigate to Protect > Conditional Access > Policies.
- Add a new policy by clicking + New policy.
- Name the new policy.
- Apply the policy to all users under the Users step by:
- Clicking User and groups.
- Selecting All users.
- From the Target resources step:
- Click Target resources.
- Select the Resources (formerly cloud apps) from the dropdown menu.
- Click Select Resources.
- Choose the appropriate application or resource.
Tip
If you are configuring this from the source tenant, choose Full Access. Otherwise, choose Delegate if you are configuring from the destination tenant.
- Configure your network condition in the Network step:
- Include: Choose Any network and location.
- Exclude: Select the Named location you created in the section above to ban those IPs.
- Grant or block access in the Grant step.
- If you want to block access from locations other than the whitelisted IPs, select Block. Alternatively, if you want to allow access only from the whitelisted IPs, choose Grant.
- Enable the policy by selecting On to activate the policy in the Enable policy step.
- Click Save.
Finalizing the Policy
Once the policy is saved and enabled, it will ensure that access is only allowed for the specified IP addresses through the Named Location. This way, access through GraphAPI or other services will only be granted from the IPs you have whitelisted.