Reverse Proxy as a Service with Microsoft Entra ID

Use Netskope’s Reverse Proxy as a Service (RaaS) with Microsoft Entra ID (Azure Active Directory or Azure AD) to redirect unmanaged devices or bring your own devices (BYOD), like agentless or clientless, to the Netskope platform to ensure access is blocked unless the connections are steered by Netskope.

This document describes the process for configuring Netskope and Microsoft Entra ID to provide an option for unmanaged devices to be redirected to the Netskope platform when accessing Microsoft 365 applications, which helps organizations ensure that any access from unmanaged devices is blocked unless the connections are steered by Netskope’s RaaS. This process can ensure data security compliance requirements are satisfied.

Prerequisites

To use Netskope’s Reverse Proxy as a Service, you need a Microsoft Entra admin account with a P1 or higher license.

Workflow

Configuring Netskope’s Reverse Proxy as a Service for M365 apps includes these primary steps:

1. Create the RaaS app.
2. Test the RaaS app.
3. Configure the conditional access policy.
4. Validate the conditional access policy.
5. (optional) Hide the Microsoft 365 Apps from the My Apps portal
6. (optional) Add Threat protection
7. (optional) Add Data Loss Prevention (DLP) protection

Create the RaaS App

1. Log in to the Microsoft Entra admin center with your admin credentials.
2. Go to Applications > Enterprise Applications and click New Application.
3. Select Create your own application. On the Create your own application page, enter a name for the application (like Netskope Reverse Proxy), and select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create.
4. Select Users and Groups.
5. Click Add user/group and select Users and Groups (under Add Assignment).
6. Enter or select the name of the user(s) or group(s) that should have the option to use the RaaS functionality (like Contractors, or 3rd party partners). Click Select and then click Assign.
7. Select Single Sign-on.
8. Click SAML on the Set up Single Sign-On with SAML page.
   1. On Step 1, click Edit (Entra ID requires these values to generate a SAML signing certificate)
      • Add identifier: input a temporary value, like orgid
      • Add reply URL: input a temporary value, like https://proxyacs.com
      • Click Save.
   2. On Step 3, Download the SAML Certificate (Base64)
   3. On Step 4, copy the Login URL and Microsoft Entra ID Identifier.
9. Log in to your Netskope admin console, go to Settings > Security Cloud Platform > Reverse Proxy > SAML, and then click Add Account. Select Reverse Proxy as a Service App and enter the following:
   • Name: Enter a name for the app.
   • IdP Issuer ID: Paste the Microsoft Entra ID Identifier copied from the Entra admin center.
   • IdP SSO URL: Paste the Login URL copied from the Entra admin center.
   • IdP Certificate: Paste the contents of the SAML Signing Certificate downloaded from the Entra admin center.
   • App Landing Page: Enter https://login.microsoftonline.com.

   

10. Click Save.
11. Click for the Reverse Proxy as a Service app you just created and copy the Organization ID and SAML Proxy ACS URL from the Settings window.
12. Go back to the Entra admin center. Ensure that you are in the Single Sign-on configuration page for the application you created previously and enter the following:
    On Step 1, Click Edit.
    • Identifier ID (Entity ID): Paste the Organization ID copied in the previous step (replace orgid from Step 8).
    • Reply URL: Paste the SAML Proxy ACS URL copied in the previous step.(e.g. replace https://proxyacs.com from Step 8).
      

      

    If you have SSO configured with other Netskope services and receive the following error:

    “Please enter an Identifier which is unique within your organization”

    Please see the article below or request your account team enable multiple IDP support for your tenant. https://support.netskope.com/s/article/Unable-to-configure-SSO-login-for-Administration-with-Azure-AD-when-Netskope-Reverse-Proxy-RPaaS-as-a-Service-is-configured.

13. Click Save.

Test the RaaS App

The RaaS app should now be available for all users it was assigned to when they log in to:
https:// myapps.microsoft.com.
Selecting a RPaaS application (like Contoso M365) will return the user to the M365 sign on page, and after re-authenticating, their connection to M365 should be redirected via the Netskope reverse proxy. Validate this by verifying that the URL address bar shows office.com.rproxy.goskope.com instead of the usual www.office.com.

Configure the Conditional Access

Conditional Access Policies are required to define the criteria to control which devices may access the M365 applications.
The policy described below stops users from connecting to M365 applications unless they are coming from the Netskope platform.

1. Go back to the Entra admin center and select Protection > Conditional Access.
2. Under Manage, select Named locations and click IP ranges location
   1. 1. Name your new location (such as Netskope IPs) and add the following IP address ranges:
         • 8.36.116.0/24
         • 31.186.239.0/24
         • 8.39.144.0/24
         • 163.116.128.0/17
         • 162.10.0.0/17

         Note

         FedRAMP High IPs are different that those shown here. The current list can be found here: https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting (a Support account is required).

      2. Click Create.
      3. Back on the Conditional Access configuration page, select Policies and click New Policy.
      4. Name the Access Policy (such as Block all non-Netskope IPs).
      5. Select Policy match criteria:
         • Users: Choose users or groups this policy should apply to. e.g. Contractors
         • Target resources: Cloud apps > Select apps and select the RaaS app created above (Contoso M365 and My Apps).
         • Conditions: Locations > Exclude Netskope IPs.
           
      6. Access controls > Grant > Block access.
      7. Enable Policy Toggle On and Save.
         Example:

         

   Validate the Conditional Access Policy

   Browse to https://myapps.microsoft.com/ from an unmanaged device (a device not protected by Netskope), and authenticate as a user that the Conditional Access Policy has been configured for.
   If you click on any application, except the RaaS app (like Contoso M365).
   Users should see the following screen:
   

   If you are able to access the applications, please disable your Netskope Client.

   Hide the Microsoft 365 Apps in the My Apps Portal

   Users should only see the RPaaS application.

   1. 1. 1. Sign in to the Microsoft Entra admin center as a global administrator.
         2. Browse to Identity > Applications > Enterprise applications.
         3. Select App launchers.
         4. Select Settings.
         5. Enable the option of Users can only see Microsoft 365 apps in the Microsoft 365 portal.
         6. Select Save.

   This change may take several hours to propagate.

   Add Threat Protection

   1. 1. 1. Follow the best practices from here: https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/best-practices-for-real-time-protection-policies/best-practices-for-threat-protection-policies/.
         2. Create a new Real-time Protection policy Cloud App Access.
         3. For , choose Add Criteria > Access Method > Reverse Proxy.
         4. For , choose Application > Application = CLoud App Suite > Microsoft Office365Activities = Download Upload.
         5. For , select Add Profile > Threat Protection Profile  > Profile Name, like Default Malware Scan (predefined). Modify Severity-Based Actions to Block and select a custom notification.
         6. Name the Policy.
         7. Save the Policy
         8. Apply the Policy

   Example:
   

   Add DLP Protection

   Note

   If you purchased Advanced DLP, OCR is enabled by default. The example below will also work on supported image files. File classifiers using machine learning, or ML, should not be combined with rules that require OCR.

   1. 1. 1. For more information about Data Loss Prevention (DLP): https://docs.netskope.com/en/netskope-help/data-security/data-loss-prevention/.
         2. Create a new Real-time Protection policy Cloud App Access.
         3. For , select Add Criteria > Access Method > Reverse Proxy.
         4. For , select Application > Application = Cloud App Suite > Microsoft Office365.
            Activities = Download Post Upload.
         5. For , select Add Profile > DLP Profile > Profile Name.
            Action = Block Template: Choose a custom notification.
         6. Name the policy.
         7. Save the policy.
         8. Apply the policy.

   Example:
   
   For DLP testing, search the internet for DLP Sample Data.