Reverse Proxy as a Service with Microsoft Entra ID

Reverse Proxy as a Service with Microsoft Entra ID

Use Netskope’s Reverse Proxy as a Service (RaaS) with Microsoft Entra ID (Azure Active Directory or Azure AD) to redirect unmanaged devices or bring your own devices (BYOD), like agentless or clientless, to the Netskope platform to ensure access is blocked unless the connections are steered by Netskope.

This document describes the process for configuring Netskope and Microsoft Entra ID to provide an option for unmanaged devices to be redirected to the Netskope platform when accessing Microsoft 365 applications, which helps organizations ensure that any access from unmanaged devices is blocked unless the connections are steered by Netskope’s RaaS. This process can ensure data security compliance requirements are satisfied.

Vanity RaaS Support For Entra ID

Vanity URLs for RAAS (Reverse Proxy as a Service) applications address the challenge of double authentication faced by users logging into the IDP page (myapps.microsoft.com). This feature aims to bypass the need for users to authenticate again after the initial login by providing direct access to RAAS-configured applications, thereby streamlining the authentication process.

The Vanity URL feature enhances user experience by simplifying access to RAAS applications, eliminating the need for additional authentication steps post initial login.

Prerequisites for Using Vanity RaaS

Ensure the configuration meets the requirements specified here.

Configuring Vanity URL

Activation of Vanity URL is managed through backend APIs.

  • Request activation from your Netskope tenant.

  • Upon confirmation, the Vanity URL can be accessed via https://saml-.goskope.com/vanity.

    Landing Domain

    You can configure a landing domain for Vanity URLs via backend API. The default landing domain is https://myapps.microsoft.com.rproxy.akme.com.

    Unsupported Features

    • Multiple landing domains are not supported simultaneously. For example, the vanity URL cannot be enabled for https://myapps.microsoft.com.rproxy.goskope.com and https://portal.office.com.rproxy.goskope.com at the same time
    • RAAS does not function with managed devices or in Federated mode for Office accounts.

Prerequisites for Using Netskope RaaS

To use Netskope’s Reverse Proxy as a Service, you need a Microsoft Entra admin account with a P1 or higher license.

RaaS Configuration Workflow

  1. Log in to the Microsoft Entra admin center with your admin credentials.

  2. Go to Applications > Enterprise Applications and click New Application.

  3. Select Create your own application. On the Create your own application page, enter a name for the application (like Netskope Reverse Proxy), and select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create.

  4. Select Users and Groups.

  5. Click Add user/group and select Users and Groups (under Add Assignment).

  6. Enter or select the name of the user(s) or group(s) that should have the option to use the RaaS functionality (like Contractors, or 3rd party partners). Click Select and then click Assign.

  7. Select Single Sign-on.

  8. Click SAML on the Set up Single Sign-On with SAML page.

    1. On Step 1, click Edit (Entra ID requires these values to generate a SAML signing certificate)

      • Add identifier: input a temporary value, like orgid

      • Add reply URL: input a temporary value, like https://proxyacs.com

      • Click Save.

    2. On Step 3, Download the SAML Certificate (Base64)

    3. On Step 4, copy the Login URL and Microsoft Entra ID Identifier.

  9. Log in to your Netskope admin console, go to Settings > Security Cloud Platform > Reverse Proxy > SAML, and then click Add Account. Select Reverse Proxy as a Service App and enter the following:

    • Name: Enter a name for the app.

    • IdP Issuer ID: Paste the Microsoft Entra ID Identifier copied from the Entra admin center.

    • IdP SSO URL: Paste the Login URL copied from the Entra admin center.

    • IdP Certificate: Paste the contents of the SAML Signing Certificate downloaded from the Entra admin center.

    • App Landing Page: Enter https://login.microsoftonline.com.

  10. Click Save.

  11. Click Network Settings for the Reverse Proxy as a Service app you just created and copy the Organization ID and SAML Proxy ACS URL from the Settings window.

  12. Go back to the Entra admin center. Ensure that you are on the Single Sign-on configuration page for the application you created previously. Click Edit and enter the following:

  13. Click Save.

The RaaS app should now be available for all users it was assigned to when they log in to:
https:// myapps.microsoft.com.
Selecting a RPaaS application (like Contoso M365) will return the user to the M365 sign on page, and after re-authenticating, their connection to M365 should be redirected via the Netskope reverse proxy. Validate this by verifying that the URL address bar shows office.com.rproxy.goskope.com instead of the usual www.office.com.

Disable your Netskope Client before testing.

Conditional Access Policies are required to define the criteria to control which devices may access the M365 applications. The policy described below stops users from connecting to M365 applications unless they are coming from the Netskope platform.

  1. Return to the Entra admin center and select Protection > Conditional Access.

  2. Under Manage, select Named locations and click IP ranges location. Give a name for the new location and add the following IP address ranges:

  3. Click Create.

  4. Back on the Conditional Access configuration page, select Policies and click New Policy.

  5. Name the Access Policy (such as Block all non-Netskope IPs).

  6. Select Policy match criteria:

    • Users: Choose users or groups this policy should apply to. e.g. Contractors

    • Target resources: Cloud apps > Select apps and select the RaaS app created above (Contoso M365 and My Apps).

    • Conditions: Locations > Exclude Netskope IPs.

  7. Go to Access controls > Grant > Block access. Enable Policy Toggle On and Save.

Browse to https://myapps.microsoft.com/ from an unmanaged device (a device not protected by Netskope), and authenticate as a user that the Conditional Access Policy has been configured for. If you click on any application, except the RaaS app (like Contoso M365). Users should see the following screen:

If you can access the applications, please disable your Netskope Client.

Hide the Microsoft 365 Apps in the My Apps Portal

Users should only see the RPaaS application.

  1. Sign in to the Microsoft Entra admin center as a global administrator.

  2. Browse to Identity > Applications > Enterprise applications.

  3. Select App launchers.

  4. Select Settings.

  5. Enable the option for Users can only see Microsoft 365 apps in the Microsoft 365 portal.

  6. Select Save.

This change may take several hours to propagate.

Add Threat Protection

  1. Follow the best practices from here: https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/best-practices-for-real-time-protection-policies/best-practices-for-threat-protection-policies/.

  2. Create a new Real-time Protection policy Cloud App Access.

  3. For Source, choose Add Criteria > Access Method > Reverse Proxy.

  4. For Destination, choose Application > Application = Cloud App Suite > Microsoft Office365Activities = Download Upload.

  5. For Profile & Action, select Add Profile > Threat Protection Profile  > Profile Name, like Default Malware Scan (predefined). Modify Severity-Based Actions to Block and select a custom notification.

  6. Name the Policy.

  7. Save the Policy

  8. Apply the Policy.

    Example

Add DLP Protection

If you purchased Advanced DLP, OCR is enabled by default. The example below will also work on supported image files. File classifiers using machine learning, or ML, should not be combined with rules that require OCR.

  1. For more information about Data Loss Prevention (DLP): https://docs.netskope.com/en/netskope-help/data-security/data-loss-prevention/.

  2. Create a new Real-time Protection policy Cloud App Access.

  3. For Source, select Add Criteria > Access Method > Reverse Proxy.

  4. For Destination, select Application > Application = Cloud App Suite > Microsoft Office365.
    Activities = Download Post Upload
    .

  5. For Profile & Action, select Add Profile > DLP Profile > Profile Name.
    Action = Block Template: Choose a custom notification.

  6. Name the policy

  7. Save the policy.

  8. Apply the policy.

    Example
Share this Doc

Reverse Proxy as a Service with Microsoft Entra ID

Or copy link

In this topic ...