Netskope Help

Configure the Conditional Access

Conditional Access Policies are required to define the criteria to control which devices may access the O365 services.

The policy described below stops users from connecting to O365 applications unless they are coming through the Netskope platform (using either the forward or reverse proxy).

  1. Go back to Azure Portal dashboard and select Azure Active Directory > Conditional Access.

  2. Click New Apps and Users.

  3. Under Manage, select Named Locations and click New Location.

  4. Name your new location (such as Netskope IPs) and add the following IP address ranges:







  5. Click Create.

  6. Click Conditions > Locations > Exclude > Netskope Public IPs.

  7. Back on the Conditional Access configuration page, select Policies and click New Policy.

  8. Name the Access Policy (such as Block all non-Netskope IPs).

  9. Define which users or groups this policy should apply to.


    Applying this to a test user or group to validate configuration before rolling out across your organization is recommended.

  10. In the New panel, select Cloud Apps. In the Cloud Apps panel, define which Cloud apps this policy should apply to, and then click Done.


    If assigning to all Cloud apps, ensure that an administrator will continue to have access to the Azure portal to avoid getting locked out.

  11. In the New panel, under Assignments, select Conditions, and then in the Conditions panel, select Locations.

  12. In the Locations panel, set Configure to Yes.

  13. Select Exclude, and then under Select, choose Netskope IPs.

  14. Click  Done in the Locations panel, and then click Done in the Conditions panel.

  15. In the New panel, under Access Controls, select Grant, and then in the Grant panel, select Block Access and click Select.

  16. Verify all settings, set Enable policy to On, and then click Create.