How-to: Providing secure access to Microsoft Azure with Parallels Browser Isolation
What is Parallels Browser Isolation (PBI)?
Parallels Browser Isolation (PBI) is a comprehensive, cloud-native solution that offers highly secure access to web applications and SaaS via a preferred web browser. It is a remote browser isolation solution that offers Zero Trust protection from cybersecurity threats and aligns with industry security standards for safety, protection, and compliance.
Parallels Browser Isolation is a fully hosted remote browser isolation service, with a control plane and containerized browser instances. It’s scalable, flexible, and agentless, offering a highly adaptable and secure solution for all users within an organization.
Learn more about Parallels Browser Isolation!
Why would you like to set up secure access to Microsoft Azure with Parallels Browser Isolation (PBI)?
Like many SaaS applications, users have access to Microsoft Azure from any device and any location by default.
Conditional access in Microsoft Entra Identity (Azure AD) enables you to impose restrictions on managed devices or specific network ranges. However, it’s important to understand that these restrictions are applicable only to managed devices.
What if you want to enforce restrictions without the use of VPN agents? Or suppose you aim to apply access controls to bring-your-own-device (BYOD) policies or non-windows-based devices?
Adding to these challenges, it’s crucial to note that conditional access focuses solely on securing entry points. It does not extend to controlling actions within Microsoft Azure (or any other SaaS application) once access is granted.
What if your security needs include stopping users from downloading data while permitting uploads? Or suppose you need to disable copy/paste functions, prevent screenshot capture, and block printing capabilities? These requirements align with a Zero Trust security model, yet such specific restrictions cannot be achieved through traditional conditional access or role-based access controls alone.
Parallels Browser Isolation enables you to route all Microsoft Azure access through a remote browser. This setup allows for geo-blocking, restricting access exclusively to locations associated with PBI IP addresses.
Following this configuration, only users who adhere to the PBI policies and belong to the designated access groups will be granted the ability to connect to Azure. Furthermore, the policy engine empowers you to specify permissible actions within Azure, such as copy/paste, upload, download, print, and others, offering a tailored and secure user experience.
Implement conditional access on Azure
For the first step, you must set up Microsoft Azure to exclusively permit access from PBI IP addresses. You can do this by setting up conditional access within Microsoft Entra ID (formerly known as Azure AD). It’s important to highlight that activating this conditional access feature requires a Microsoft Entra Identity P1 license. The process starts with establishing a Named Location that encompasses the IP addresses associated with Parallels Browser Isolation.
As an admin, go to “Microsoft Entra ID” —> “Security,” —> “Named Locations” Click on “+ IP ranges location” and give this location a unique name. In my case, I called this location “Parallels Browser Isolation”. Add all IP addresses used by Parallels Browser Isolation. The list can be found online in this KB article: https://kb.parallels.com/en/130095.
When adding the different IP addresses, add a /32 to the end to identify that these are single IPs and not ranges.
Once this is done, go to “Microsoft Entra ID” —> “Security” —>“Conditional Access”
Click on “+ Create new policy” and give it a unique name. In my case, I called it “PBI Only Policy”.
In configuring the policy, the initial step involves selecting the ‘Users’ to whom the policy will apply. It’s advisable to begin with a small user group for testing purposes before expanding the policy to include a broader audience.
Important: Make sure you exclude at least a few users from this policy, as you might need to get back into your Microsoft Azure if there are configuration or other issues with your conditional access configuration. If you include everyone and you have an issue, you can’t log in to Microsoft Azure anymore and, therefore can’t make any changes to the conditional access settings in the “Microsoft Entra ID”.
Next, we need to select the “Target Resources” and select “Include”.
If you want to protect your Azure portal only, then choose the “Select apps” option and “Select” only “Microsoft Admin Portals”. This application covers access to Microsoft Azure and some other management portals.
Important: If you choose the “All cloud apps” option, take into account that you might have configured your Parallels Browser Isolation (PBI) solution to be federated with “Microsoft Entra ID,” and therefore, you need to make sure you exclude the application that was created in “Microsoft Entra ID” for PBI from this policy. If not, you won’t be able to log in on PBI.
On the “Conditions” settings, we now have to enable the “Locations” filter. We want to have this policy enabled for all locations except for the “Parallels Browser Isolation” location created in the first step of this procedure.
To do this, under “Include”, select “Any Network,” and under “Exclude,” select “Select Locations” and select the “Named Location” you created earlier, in my case, “Parallels Browser Isolation” location.
The other conditions like “User risk”, “Sign-in risk”, “Device platforms”, “Client apps,” and “Filter for devices” can remain in the default configuration and don’t need to be modified.
The final steps are to set the “Access Controls” to “Block access”, set “Enable policy” to “On,” and save it.
Publish Microsoft Azure as a Secure Web Application in Parallels Browser Isolation (PBI)
Now that the conditional access is configured, your next step is to make sure the users can access Microsoft Azure via Parallels Browser Isolation (PBI).
To do this, log in and go to the PBI admin portal. Click on “Applications” —> “Add Application” —> “Secure Web Application”.
Start by setting the “Name“and the “Icon”. Set “https://portal.azure.com” as a start URL.
Under “Domains,” you have now to specify all URLs that are used by Azure.
For some SaaS applications, this is a single domain, but for Microsoft Azure, the list is pretty long (this is the full list of all domain names used by Microsoft Azure).
You can add the individual subdomains or only the main domains. In the example below we simplified the list of domains to include only the main domains, but not the individual subdomains. Also, we added all possible domains, not just the ones linked to the Microsoft Azure login but all the individual services.
The following domains have been added:
| aadrm.com
azconfig.io azure.com azure.net azureedge.net azuresynapse.net loganalytics.io |
login.live.com microsoft.com
microsoftonline-p.com microsoftonline.com msauth.net msauthimages.net msftauth.net |
msftauthimages.net
office.com status.microsoft trafficmanager.net windows.net |
Under the “Access for secure web applications,” select the users or groups in PBI that must have access to Microsoft Azure. Optionally, select an extra policy you want to apply to this application. If the policy doesn’t exist yet, you must first save the application, create a new policy, and then edit the app and assign the newly created policy.
Before creating the policy, don’t forget to save the configuration. You do this by clicking on the bottom of the screen on “Add”.
Once that is done you will see the app in the list of published apps.
In this example, I want extra security on top of Microsoft Azure and, therefore, will create an extra policy to block “copy/paste”, “download”, and “printing” and have a watermark on the screen to make it more difficult to take screenshots.
To create a new policy in the right menu bar, click on “Policies” —>“Add”
Again, we start with setting a “Name”. My policy will be called “Microsoft Apps Policy”, and the idea is that I can apply this same policy to other published Microsoft applications I may want to publish in PBI later.
I want to apply the policy to all users, so I will set the filter for “Users and Groups” to disabled.
Same for the “Active Hours”, I keep it set to disabled.
For the “Location,” I can implement the geo-restriction. As we have restricted access to Azure to only PBIIP addresses with conditional access, we can’t set country-based geo-restrictions at that level.
In my example, I have geo-restricted Microsoft Azure access to “Belgium”, “France”, “Germany”, “Italy”, “Netherlands”, “Portugal” and “Spain”.
On the “Security controls/Policy Features,” I enabled the “Disable printing”, “Disabled downloads,” and “Disable Clipboard” features.
Under “Security controls/End-user experience,” I enabled the following features:
- “Blue border”: This will put a visual indication (blue border around the screen) that you are not accessing the website directly but via the Parallels Browser Isolation solution.
- “Watermarking”: This will add the user’s login name and date as a watermark on top of the screen so that taking screenshots becomes more difficult.
The “Restrict URLs” options don’t need to change here — they can stay on the default values.
Finish creating the policy by clicking on “Save”. Now that the policy has been created, go back to the “Azure Portal” application and add the “Microsoft Apps Policy” to the application.
Test the setup
Now that we have published the “Azure Portal” application on PBI and configured the conditional access on Microsoft Entra ID, we can test if the setup works: First, we try to open it directly from the web browser.
This should not work as the conditional access only allows connections from the Parallels Brower Isolation IP addresses.
If we do the same thing but via Parallels Browser Isolation, it works. Also, note the watermark and the blue bar around the screen.
Now you have set up secure access to Microsoft Azure via Parallels Browser Isolation!
Learn more and sign up for a free trial of Parallels Browser Isolation.
