-
Notifications
You must be signed in to change notification settings - Fork 282
/
howto-conditional-access-policy-location.yml
90 lines (83 loc) · 4.38 KB
/
howto-conditional-access-policy-location.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
### YamlMime:HowTo
---
metadata:
title: Conditional Access - Block access by location
description: Create a custom Conditional Access policy to block access to resources by IP location.
author: MicrosoftGuyJFlo
ms.author: joflore
manager: amycolannino
ms.reviewer: lhuangnorth
ms.date: 05/29/2024
ms.service: entra-id
ms.subservice: conditional-access
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
title: |
Conditional Access: Block access by location
introduction: |
With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn't come from. For more information about IPv6 support, see the article [IPv6 support in Microsoft Entra ID](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).
> [!NOTE]
> Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
procedureSection:
- title: |
Define locations
summary: |
Follow these steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
- |
Browse to **Protection** > **Conditional Access** > **Named locations**.
- |
Choose the type of location to create.
- **Countries location** or **IP ranges location**.
- |
Give your location a name.
- |
Provide the **IP ranges** or select the **Countries/Regions** for the location you're specifying.
- If you select IP ranges, you can optionally **Mark as trusted location**.
- If you choose Countries/Regions, you can optionally choose to include unknown areas.
- |
Select **Create**
More information about the location condition in Conditional Access can be found in the article,
[What is the location condition in Microsoft Entra Conditional Access](location-condition.md)
- title: |
Create a Conditional Access policy
summary: |
Follow these steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
- |
Browse to **Protection** > **Conditional Access**.
- |
Select **Create new policy**.
- |
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- |
Under **Assignments**, select **Users or workload identities**.
1. Under **Include**, select **All users**.
1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
- |
Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.
- |
Under **Network**.
1. Set **Configure** to **Yes**
1. Under **Include**, select **Selected networks and locations**
1. Select the blocked location you created for your organization.
1. Click **Select**.
- |
Under **Access controls** > select **Block Access**, and click **Select**.
- |
Confirm your settings and set **Enable policy** to **Report-only**.
- |
Select **Create** to create to enable your policy.
After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
relatedContent:
- text: Conditional Access templates
url: concept-conditional-access-policy-common.md
- text: Determine effect using Conditional Access report-only mode
url: howto-conditional-access-insights-reporting.md
- text: Use report-only mode for Conditional Access to determine the results of new policy decisions.
url: concept-conditional-access-report-only.md