Home > Manage Apps > Manage App Profiles for Microsoft Tenants > Configure Custom Azure App Profiles > Create a Custom Azure App > Configure a Best Practice Conditional Access Policy for Custom Apps in Azure
Export to PDFConfigure a Best Practice Conditional Access Policy for Custom Apps in Azure
To ensure that custom apps in Azure are only accessible by the AvePoint Online Services production environment, follow the steps below to configure a conditional access policy.
-
Log in to Microsoft Entra admin center (or Microsoft Azure portal) and navigate to Protection (or Microsoft Entra ID > Security) > Conditional Access > Named locations.
-
Click IP ranges location.
-
In the New location (IP ranges) right pane, complete the steps below:
-
Name this location.
-
Click + to add IP ranges based on the reserved IP addresses downloaded from AvePoint Online Services. For details on the reserved IP addresses, see Download a List of Reserved IP Addresses.
-
Click Create.
-
-
Go to the Overview page and click Create new policy.
-
Refer to the following instructions to configure a new policy:
-
Enter a policy name.
-
Click Users or workload identities, select Workload identities, choose Select service principals, and select your custom apps for AvePoint cloud services.
*Note: The Workload identities license is required for the Users or workload identities option to appear.
![Configuring "Users or workload identities".](/en/configuration-and-deployment/manage-apps/manage-app-profiles-for-microsoft-tenants/images/image26.png "Configuring "Users or workload identities".")
-
Click Conditions, click Locations, toggle Configure to Yes, choose the Selected locations option under the Exclude tab, and select the location created in the New location (IP ranges) step.
-
Click Grant and select Block access.
-
Toggle the Enable policy option to On.
-
Click Create.
-