Reverse Proxy as a Service with Microsoft Entra ID
Reverse Proxy as a Service with Microsoft Entra ID
Use Netskope’s Reverse Proxy as a Service (RaaS) with Microsoft Entra ID (Azure Active Directory or Azure AD) to redirect unmanaged devices or bring your own devices (BYOD), like agentless or clientless, to the Netskope platform to ensure access is blocked unless the connections are steered by Netskope.
This document describes the process for configuring Netskope and Microsoft Entra ID to provide an option for unmanaged devices to be redirected to the Netskope platform when accessing Microsoft 365 applications, which helps organizations ensure that any access from unmanaged devices is blocked unless the connections are steered by Netskope’s RaaS. This process can ensure data security compliance requirements are satisfied.
Vanity RaaS Support For Entra ID
Vanity URLs for RAAS (Reverse Proxy as a Service) applications address the challenge of double authentication faced by users logging into the IDP page (myapps.microsoft.com). This feature aims to bypass the need for users to authenticate again after the initial login by providing direct access to RAAS-configured applications, thereby streamlining the authentication process.
The Vanity URL feature enhances user experience by simplifying access to RAAS applications, eliminating the need for additional authentication steps post initial login.
Prerequisites for Using Vanity RaaS
Ensure the configuration meets the requirements specified here.
Configuring Vanity URL
Activation of Vanity URL is managed through backend APIs.
-
Request activation from your Netskope tenant.
-
Upon confirmation, the Vanity URL can be accessed via https://saml-.goskope.com/vanity.
Landing Domain
You can configure a landing domain for Vanity URLs via backend API. The default landing domain is https://myapps.microsoft.com.rproxy.akme.com.
Unsupported Features
- Multiple landing domains are not supported simultaneously. For example, the vanity URL cannot be enabled for https://myapps.microsoft.com.rproxy.goskope.com and https://portal.office.com.rproxy.goskope.com at the same time
- RAAS does not function with managed devices or in Federated mode for Office accounts.
Prerequisites for Using Netskope RaaS
To use Netskope’s Reverse Proxy as a Service, you need a Microsoft Entra admin account with a P1 or higher license.
RaaS Configuration Workflow
-
Log in to the Microsoft Entra admin center with your admin credentials.
-
Go to Applications > Enterprise Applications and click New Application.
-
Select Create your own application. On the Create your own application page, enter a name for the application (like Netskope Reverse Proxy), and select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create.
-
Select Users and Groups.
-
Click Add user/group and select Users and Groups (under Add Assignment).
-
Enter or select the name of the user(s) or group(s) that should have the option to use the RaaS functionality (like Contractors, or 3rd party partners). Click Select and then click Assign.
-
Select Single Sign-on.
-
Click SAML on the Set up Single Sign-On with SAML page.
-
On Step 1, click Edit (Entra ID requires these values to generate a SAML signing certificate)
-
Add identifier: input a temporary value, like orgid
-
Add reply URL: input a temporary value, like https://proxyacs.com
-
Click Save.
-
-
On Step 3, Download the SAML Certificate (Base64)
-
On Step 4, copy the Login URL and Microsoft Entra ID Identifier.
-
-
Log in to your Netskope admin console, go to Settings > Security Cloud Platform > Reverse Proxy > SAML, and then click Add Account. Select Reverse Proxy as a Service App and enter the following:
-
Name: Enter a name for the app.
-
IdP Issuer ID: Paste the Microsoft Entra ID Identifier copied from the Entra admin center.
-
IdP SSO URL: Paste the Login URL copied from the Entra admin center.
-
IdP Certificate: Paste the contents of the SAML Signing Certificate downloaded from the Entra admin center.
-
App Landing Page: Enter https://login.microsoftonline.com.
-
-
Click Save.
-
Click Network Settings for the Reverse Proxy as a Service app you just created and copy the Organization ID and SAML Proxy ACS URL from the Settings window.
-
Go back to the Entra admin center. Ensure that you are on the Single Sign-on configuration page for the application you created previously. Click Edit and enter the following:
-
Identifier ID (Entity ID): Paste the Organization ID copied in the previous step (replace orgid from Step 8).
-
Reply URL: Paste the SAML Proxy ACS URL copied in the previous step.(e.g. replace https://proxyacs.com from Step 8).
If you have SSO configured with other Netskope services and receive the following error:
“Please enter an Identifier which is unique within your organization”
See the article below or request your account team to enable multiple IDP support for your tenant. https://support.netskope.com/s/article/Unable-to-configure-SSO-login-for-Administration-with-Azure-AD-when-Netskope-Reverse-Proxy-RPaaS-as-a-Service-is-configured.
-
-
Click Save.
The RaaS app should now be available for all users it was assigned to when they log in to:
https:// myapps.microsoft.com.
Selecting a RPaaS application (like Contoso M365) will return the user to the M365 sign on page, and after re-authenticating, their connection to M365 should be redirected via the Netskope reverse proxy. Validate this by verifying that the URL address bar shows office.com.rproxy.goskope.com instead of the usual www.office.com.
Conditional Access Policies are required to define the criteria to control which devices may access the M365 applications. The policy described below stops users from connecting to M365 applications unless they are coming from the Netskope platform.
-
Return to the Entra admin center and select Protection > Conditional Access.
-
Under Manage, select Named locations and click IP ranges location. Give a name for the new location and add the following IP address ranges:
-
8.36.116.0/24
-
31.186.239.0/24
-
8.39.144.0/24
-
163.116.128.0/17
-
162.10.0.0/17
For the current list of FedRam High IPs, see : https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting (a Support account is required).
-
-
Click Create.
-
Back on the Conditional Access configuration page, select Policies and click New Policy.
-
Name the Access Policy (such as Block all non-Netskope IPs).
-
Select Policy match criteria:
-
Users: Choose users or groups this policy should apply to. e.g. Contractors
-
Target resources: Cloud apps > Select apps and select the RaaS app created above (Contoso M365 and My Apps).
-
Conditions: Locations > Exclude Netskope IPs.
-
-
Go to Access controls > Grant > Block access. Enable Policy Toggle On and Save.
Browse to https://myapps.microsoft.com/ from an unmanaged device (a device not protected by Netskope), and authenticate as a user that the Conditional Access Policy has been configured for. If you click on any application, except the RaaS app (like Contoso M365). Users should see the following screen:
If you can access the applications, please disable your Netskope Client.
Hide the Microsoft 365 Apps in the My Apps Portal
Users should only see the RPaaS application.
-
Sign in to the Microsoft Entra admin center as a global administrator.
-
Browse to Identity > Applications > Enterprise applications.
-
Select App launchers.
-
Select Settings.
-
Enable the option for Users can only see Microsoft 365 apps in the Microsoft 365 portal.
-
Select Save.
Add Threat Protection
-
Follow the best practices from here: https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/best-practices-for-real-time-protection-policies/best-practices-for-threat-protection-policies/.
-
Create a new Real-time Protection policy Cloud App Access.
-
For Source, choose Add Criteria > Access Method > Reverse Proxy.
-
For Destination, choose Application > Application = Cloud App Suite > Microsoft Office365Activities = Download Upload.
-
For Profile & Action, select Add Profile > Threat Protection Profile > Profile Name, like Default Malware Scan (predefined). Modify Severity-Based Actions to Block and select a custom notification.
-
Name the Policy.
-
Save the Policy
-
Apply the Policy.
Add DLP Protection
If you purchased Advanced DLP, OCR is enabled by default. The example below will also work on supported image files. File classifiers using machine learning, or ML, should not be combined with rules that require OCR.
-
For more information about Data Loss Prevention (DLP): https://docs.netskope.com/en/netskope-help/data-security/data-loss-prevention/.
-
Create a new Real-time Protection policy Cloud App Access.
-
For Source, select Add Criteria > Access Method > Reverse Proxy.
-
For Destination, select Application > Application = Cloud App Suite > Microsoft Office365.
Activities = Download Post Upload. -
For Profile & Action, select Add Profile > DLP Profile > Profile Name.
Action = Block Template: Choose a custom notification. -
Name the policy
-
Save the policy.
-
Apply the policy.