Conditional access policy based on network location of users

Conditional access in Microsoft Entra ID allows organizations to implement policies that manage access to Microsoft cloud applications, such as Office 365, SharePoint, and Exchange Online, based on specific conditions. These conditions are predefined in the Microsoft Entra ID portal and can be customized as needed. One of the primary conditions is the device’s location, identified by the IP address of the connected network.

This guide provides administrators with step-by-step instructions for configuring Conditional Access policy location condition for users or user groups registered within Microsoft Entra ID.

Step 1: Set up named locations in Microsoft Entra ID

To use IP-based location restrictions, you first need to define the IP ranges (public IPv4 or IPv6) within the Named locations section of Microsoft Entra ID. Follow these steps to define and create IP-based named locations:

1. Login to the Microsoft Entra ID portal.
2. Navigate to Protection > Conditional Access from the left pane.

   

3. Under the Manage section, select Named locations.

   

4. On the Named locations page, click the + IP ranges location option.

   

5. Provide a name for the location. Optionally, you can check the box Mark as trusted location.
6. Click the ‘+’ button to add the desired IP addresses. You can add multiple IP addresses, one at a time.
7. After adding the required IP addresses, click Create.

   

Once created, the new IP range location will be listed under Named locations.

Step 2: Configure a Conditional Access policy using IP ranges

With your Named locations configured, the next step is to set up a Conditional Access policy that applies IP range-based location restrictions. This involves creating a Conditional Access policy by selecting the IP ranges as conditions and defining access controls.

Create a new policy

1. Login to the Microsoft Entra ID portal.
2. Navigate to Protection > Conditional Access.
3. Under the Policies section, click + Create new policy.
4. Provide a name for the policy.

Define assignments

The Assignments section allows you to specify the users, groups, and resources that the policy will apply to.

1. Users and Groups: Choose the users and groups that will be included or excluded from the policy. This can be specific user groups or all users within the organization.
2. Cloud Apps or Actions: Choose the resources (cloud apps) or actions (e.g., sign-in attempts, access to resources) to which the policy applies.

Configure network conditions

Next, set up the network or location conditions to define when the policy will be enforced based on the network or physical location of the device.

1. Enable the Configure option within the Network assignment section.
2. When configuring the location, you can choose from the following options, which can be included or excluded as needed.
   1. Any network or location: Applies to all IP addresses on the Internet. You can still exclude specific named locations.
   2. All trusted networks and locations: The Conditional Access policy will apply to users connecting from any locations or networks specified as trusted, including:
      1. All locations marked as trusted locations: This refers to the locations that have been marked as trusted in your organization’s security settings.
      2. Multifactor authentication trusted IPs (if configured): These are IP addresses that have been trusted when considering multifactor authentication (MFA). If a user is accessing the organization’s resources from one of these trusted IPs, MFA will not be required.
   3. All Compliant Network locations: Organizations with Global Secure Access features have an additional location that includes users and devices meeting the organization’s security policies.
   4. Selected networks and locations: This option allows you to choose one or more named locations. When you click Select, a list of named locations appears, displaying their name, type, and whether the network location is marked as trusted.

Configure additional conditions

In the Conditions section, you can further refine the policy based on various conditions such as:

1. Device platforms: Select the platforms (Android, iOS, Windows, macOS, and Linux) that should be included or excluded from the Conditional Access policy.
2. Client apps: Client apps refer to the software a user uses to access a Microsoft cloud app. Select this option if you want to apply the policy to specific client apps (such as accessing Microsoft Office 365 through a browser or mobile application).
3. Filter for devices: Apply the Conditional Access policy only to devices that meet certain criteria (e.g., device compliance status).
4. Authentication flows: Configure the authentication mechanisms to be enforced.

Define access controls

In the Access controls section, configure whether to allow or block access to the resources based on the policy conditions:

1. Block access: If this option is selected, access to the organization resources will be denied when the policy conditions are met.
2. Grant access: Administrators can choose to enforce one or more controls when granting access. These controls include the following options:
   1. Require authentication strength.
   2. Require device to be marked as compliant.
   3. Require Microsoft Entra hybrid joined device.
   4. Require approved client app.
   5. Require app protection policy.

   When administrators choose to combine these options, they can use the following methods:

   1. Require all the selected controls.
   2. Require one of the selected controls.

Example scenario: Granting access based on IP address

Consider a scenario where you want to grant access only when the user is accessing the organization’s resource from a device connected to a specific IP address. You can configure the policy as follows.

1. Create a Named location for the target IP address.
2. When setting up the Conditional Access policy, in the Network section:
   1. Under Include, select Any network or location.

      

   2. Under Exclude, select the Selected networks and locations and choose the configured named location.

      

3. In the Grant section, select Block access.

   

This setup ensures that access to organizational resources is granted only when the user is accessing them from a device connected to a specific IP address, while access from any other IP addresses is blocked.

Step 3: Enable the policy

After configuring the required conditions,

1. Set Enable policy to On to activate the policy.
2. Once all settings are configured, click Create to save and apply the Conditional Access policy.

By following these steps, administrators can configure Conditional Access policies based on IP ranges to enforce location-based restrictions and secure access to organizational resources effectively.

What happens at the device end?

When the user attempts to log in to Microsoft services from a network with an IP address not included in the Named location configuration, the login will be blocked because the network is not authorized by the Conditional Access policy.

However, if the user attempts to log in to Microsoft services from a network with an IP address included in the Named location configuration, the login will be successful without any issues.