How to block TOR access on Corp devices by using Conditional Access in Entra ID

For individuals without a work-related need to access the TOR network from the corporate network or on corporate devices, it may be best to block it. Implementing this is straightforward and requires only the following steps:

• Two Conditional Access Named Locations
• One Conditional Access Policy
• One Logic App

Named Locations:

First start by creating the IP ranges under - Named Locations,

Here you will create 2 IP ranges one for TOR IPv4 and TOR IPv6.

Conditional Access Policy

Once both IP ranges have been created, you can move on and create the policy it self.

See below for screenshots.

Logic app:

Which works pretty basic

• Run each day at a certain time.
• Fetch the ip's directly from the public TOR list.
• Format the data.
• Paste it into IPv4 and IPv6 by using the managed identity in the logic app.

const relays = workflowContext.actions.Fetch_IP_from_Tor.outputs.body.relays;

const ipv4 = [];
const ipv6 = [];

for (var relayIdx in relays) {
  var relay = relays[relayIdx];
  
  for (var ipAddrIdx in relay.or_addresses) {
    var ipAddr = relay.or_addresses[ipAddrIdx];
    var ipv4Addr, ipv6Addr;

    if (ipv4Addr = ipAddr.match(/\d+\.\d+\.\d+\.\d+/)) {
      ipv4.push(ipv4Addr[0]);
    } else if (ipv6Addr = ipAddr.match(/([a-f0-9:]+:+)+[a-f0-9]+?(::)/)) {
      ipv6.push(ipv6Addr[0]);
    }
  }
}

var distinct = function (value, index, array) {
  return array.indexOf(value) === index;
};

var formatIPv4 = function (ipAddr) {
  return { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": `${ipAddr}/32` };
}

var formatIPv6 = function (ipAddr) {
  return { "@odata.type": "#microsoft.graph.iPv6CidrRange", "cidrAddress": `${ipAddr}/128` };
}

return { ipv4: ipv4.filter(distinct).map(formatIPv4), ipv6: ipv6.filter(distinct).map(formatIPv6) };        

That should be it, you Policy should be ready to test / put in production.

If any questions feel free to reach out :-)