Steps to Set Up Conditional Access to Named Locations
What?
You need/want to tighten security and protect your company data.
So What?
Perhaps you see suspicious sign-ins reported in Azure and/or your users work remotely and sign in from External (unknown) IP’s. You need to add some security to isolate data access locations without causing data access issues for your users.
Now What?
Conditional Access and Named locations in Azure AD work well together to:
- Mitigate risk and security breaches
- Protect data
- Monitor for potential threats
- Provide seamless/behind the scenes access to legitimate users using Named Locations
Set it Up
If you are new to Conditional Access then read this first to understand what it is and how it can apply to your business
In this scenario we will be creating Conditional Access policies for named locations and trusted IP’s
- Organizations can create trusted IP address ranges that can be used when making policy decisions.
- Administrators can specify entire countries IP ranges to block or allow traffic from.
Licensing
Conditional Access features and security require Azure AD Premium P1
Named Locations
You can either create a Conditional Access Policy based on:
- Country
- IP’s or IP ranges
- Or both
In our scenario we will lock down access to company data only for those devices in Canada and also from the users location IP for tracking and auditing purposes.
The Named Location for the IP addresses could be:
- The Internal IP address range of your companies internal network
OR
- The users home IP from their ISP
Of course the users home IP could change since most ISP’s provision Dynamic Addresses so it is good to include a Country to prevent issues when these IP’s do change.
Configure a Named Location
Location 1: Canada
- Login to Azure AD -> Security -> Named Locations
- Choose Add New Location
- Name your Location “Canada”
- Select “Countries/Regions” and choose Canada
- Select to Create
Location 2: IP Addresses
- Login to Azure AD -> Security -> Named Locations
- Choose Add New Location
- Name your Location “User IP Addresses”
- Choose IP Ranges
- Enter each users IP address with /32 and enter
- Continue to add addresses by selecting the elipses next to address bar
Configure Conditional Access Policy
- From the Security window select Conditional Access
- Select to create a New Policy
- Name your location “Location Restrictions”
Configure the following:
Assignments
Include:
- Select Users and Groups and choose “Users and Groups”
- Choose a group of users you wish to apply this policy to
Cloud Apps or Actions
Choose “All cloud Apps”
Conditions
- Device Platforms
- Configure: Yes
- Include: Any Device
- Locations
- Configure: Yes
- Include: Any Location
- Exclude: Choose “Selected Locations”
- Select the named locations “User IP Addresses” and “Location Restrictions”
- Client Apps
- Configure: Yes
- Choose all options
- Access Controls
- Grant(Controls to be enforced): Block Access
Enable Policy
On
Monitor Activity
Sign in activity and applied Conditional Access Policies can be reveiwed from:
- Azure Active Directory -> Monitoring -> Sign Ins
When you select to review a user you can drill down into their exact means of authentication, location, policies applied and result
One response to “Conditional Access and Location Restrictions in Azure AD”