Conditional Access and Location Restrictions in Azure AD

Steps to Set Up Conditional Access to Named Locations

What?

You need/want to tighten security and protect your company data. 

So What?

Perhaps you see suspicious sign-ins reported in Azure and/or your users work remotely and sign in from External (unknown) IP’s.  You need to add some security to isolate data access locations without causing data access issues for your users.

Now What?

Conditional Access and Named locations in Azure AD work well together to:

  • Mitigate risk and security breaches
  • Protect data
  • Monitor for potential threats
  • Provide seamless/behind the scenes access to legitimate users using Named Locations

Set it Up

If you are new to Conditional Access then read this first to understand what it is and how it can apply to your business

In this scenario we will be creating Conditional Access policies for named locations and trusted IP’s

  • Organizations can create trusted IP address ranges that can be used when making policy decisions.
  • Administrators can specify entire countries IP ranges to block or allow traffic from.

Licensing

Conditional Access features and security require Azure AD Premium P1

Named Locations

You can either create a Conditional Access Policy based on:

  • Country
  • IP’s or IP ranges
  • Or both

In our scenario we will lock down access to company data only for those devices in Canada and also from the users location IP for tracking and auditing purposes. 

The Named Location for the IP addresses could be:

  • The Internal IP address range of your companies internal network

OR

  • The users home IP from their ISP

Of course the users home IP could change since most ISP’s provision Dynamic Addresses so it is good to include a Country to prevent issues when these IP’s do change.

Configure a Named Location

Location 1: Canada

  • Login to Azure AD -> Security -> Named Locations
  • Choose Add New Location
  • Name your Location “Canada”
  • Select “Countries/Regions” and choose Canada
  • Select to Create

Location 2: IP Addresses

  • Login to Azure AD -> Security -> Named Locations
  • Choose Add New Location
  • Name your Location “User IP Addresses”
  • Choose IP Ranges
  • Enter each users IP address with /32 and enter
  • Continue to add addresses by selecting the elipses next to address bar

Configure Conditional Access Policy

  • From the Security window select Conditional Access
  • Select to create a New Policy
  • Name your location “Location Restrictions”

Configure the following:

Assignments

Include:

  • Select Users and Groups and choose “Users and Groups”
  • Choose a group of users you wish to apply this policy to

Cloud Apps or Actions

Choose “All cloud Apps”

Conditions

  • Device Platforms
    • Configure: Yes
    • Include: Any Device
  • Locations
    • Configure: Yes
    • Include: Any Location
    • Exclude: Choose “Selected Locations”
    • Select the named locations “User IP Addresses” and “Location Restrictions”
  • Client Apps
    • Configure: Yes
    • Choose all options
  • Access Controls
    • Grant(Controls to be enforced): Block Access

Enable Policy

On

Monitor Activity

Sign in activity and applied Conditional Access Policies can be reveiwed from:

  • Azure Active Directory -> Monitoring -> Sign Ins

When you select to review a user you can drill down into their exact means of authentication, location, policies applied and result

One response to “Conditional Access and Location Restrictions in Azure AD

Leave a Reply

Your email address will not be published. Required fields are marked *