How to Block Access by Location with Conditional Access in Microsoft Entra

In today’s digital world, ensuring cybersecurity while offering flexibility to your workforce is essential. One effective way to enhance your organization’s security is through Conditional Access, especially when it comes to controlling access based on location. In this guide, we’ll walk you through defining locations and creating a Conditional Access policy in the Microsoft Entra admin center.

Defining Locations

Before you can block access by location, you’ll need to define specific locations in the Microsoft Entra admin center. Follow these steps:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Navigate to Protection > Conditional Access > Named locations.
3. Choose the type of location you want to create: either Country location or IP ranges location.
4. Give your location a meaningful name to easily identify it in the future.
5. If you’re specifying IP ranges, provide the appropriate ranges. If choosing Countries/Regions, select the relevant areas.
6. When specifying IP ranges, you can optionally mark it as a trusted location.
7. If you opt for Countries/Regions, there is also an option to include unknown areas.
8. Once done, select Create.

For more information about the location condition in Conditional Access, feel free to check out the article on the Microsoft website.

Creating a Conditional Access Policy

After defining your locations, the next step is to create a Conditional Access policy.

1. Again, sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Navigate to Protection > Conditional Access > Policies.
3. Select New policy.
4. Assign a meaningful name to your policy, keeping in mind the standard naming conventions for ease of management.
5. Under Assignments, select Users or workload identities.
6. Under Include, select All users.
7. Under Exclude, choose Users and groups and select your organization’s emergency access or break-glass accounts.
8. In Target resources > Cloud apps > Include, select All cloud apps.
9. Under Network, set Configure to Yes.
10. In Include, select Selected networks and locations, and choose the blocked location you created earlier.
11. Click Select.
12. Under Access controls, select Block Access, and then click Select.
13. Confirm your settings and set Enable policy to Report-only.
14. Select Create to finalize your policy.
15. After confirming the settings in report-only mode, you can move the Enable policy toggle from Report-only to On.

By following these steps, you can effectively manage and block access based on location using Conditional Access. This enhances your organization’s cyber security posture and helps protect sensitive data from unauthorized access.

If you’re seeking assistance to set up effective cybersecurity measures for your business, don’t hesitate to reach out to us! At System Support, we specialize in Managed IT and Managed Cloud services tailored to fit your needs. Request a quote today!