Restricting Tor and Anonymous Proxy Access in Microsoft 365

Why Anonymous Networks Are a Risk

Anonymous networks such as Tor exit nodes, VPNs, and public proxy services are frequently used to hide a user’s real location and identity. While these tools have legitimate privacy use cases, they are also commonly abused for:

• Credential stuffing and password spray attacks

• Bypassing geo-based security controls

• Obscuring attacker attribution during compromised sign-ins

For Microsoft 365 environments, allowing unrestricted access from these networks significantly increases the risk of account compromise, especially for cloud-first organizations.

Blocking Tor and Anonymous Proxies with Conditional Access

We can block sign-ins from Tor and other anonymous proxies by combining:

• Microsoft Entra Conditional Access (CA) with Conditional Access App Control

• Microsoft Defender for Cloud Apps (MDCA) with a custom Access Policy

How it works

• Conditional Access policy

  • Targets users and cloud apps in scope (for example: all users and all cloud apps, or a specific group Exclude Breakglass / emergency accounts or specific high-risk apps).

  • And only useing  Session → Use Conditional Access App Control and sets it to Use custom policy. That is all. And trun the policy on.

• Defender for Cloud Apps Access Policy

  In the Defender for Cloud Apps portal, navigate to Control > Policies and create a new Custom Access Policy. Assign an appropriate severity level to the policy (for example, Low).

  Policy name: Block anonymous Tor and botnet traffic
  Description: This policy, in combination with Conditional Access, blocks access from IP addresses associated with Tor, anonymous proxies, and botnets.

  Policy conditions:

  • Activities matching all of the following:

    • IP address tag equals Anonymous proxy, Botnet, or Tor

  Actions:

  • Block access

  • Customize the block message, for example:
    “Organizational policy prevents access to this service from the Tor network or other anonymous proxies.”

  Optionally, configure the policy to send an alert by email to administrators when it is triggered.

Test the policy

It was time to validate whether the solution worked as intended. By attempting to sign in to the Office portal using the Tor browser, the authentication flow was routed through Microsoft Defender for Cloud Apps via its reverse proxy.

After entering valid credentials and completing MFA, the session was evaluated against the configured Conditional Access App Control and Defender for Cloud Apps access policies. Because the sign-in originated from a known Tor exit node, the access policy was triggered and the sign-in was blocked, presenting a clear message to the user explaining why access was denied.

This confirms that the combination of Conditional Access and Defender for Cloud Apps effectively prevents access from Tor and other anonymous proxy networks.