{"id":1039,"date":"2020-04-24T19:32:58","date_gmt":"2020-04-24T19:32:58","guid":{"rendered":"https:\/\/regroove.ca\/stellark\/?p=1039"},"modified":"2023-02-24T18:06:42","modified_gmt":"2023-02-24T18:06:42","slug":"conditional-access-and-location-restrictions-in-azure-ad","status":"publish","type":"post","link":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/","title":{"rendered":"Conditional Access and Location Restrictions in Azure AD"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"168\" src=\"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg\" alt=\"\" class=\"wp-image-1042\"\/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Steps to Set Up Conditional Access to Named Locations<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">What?<\/h1>\n\n\n\n<p>You need\/want to tighten security and protect your company data.&nbsp;<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">So What?<\/h1>\n\n\n\n<p>Perhaps you see suspicious sign-ins reported in Azure and\/or your users work remotely and sign in from External (unknown) IP&#8217;s.&nbsp; You need to add some security to isolate data access locations without causing data access issues for your users.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Now What?<\/h1>\n\n\n\n<p>Conditional Access and Named locations in Azure AD work well together to:<\/p>\n\n\n\n<ul>\n<li>Mitigate risk and security breaches<\/li>\n\n\n\n<li>Protect data<\/li>\n\n\n\n<li>Monitor for potential threats<\/li>\n\n\n\n<li>Provide seamless\/behind the scenes access to legitimate users using Named Locations<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Set it Up<\/h1>\n\n\n\n<p>If you are new to Conditional Access then <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/overview\">read this first<\/a> to understand what it is and how it can apply to your business<\/p>\n\n\n\n<p>In this scenario we will be creating Conditional Access policies for named locations and trusted IP&#8217;s<\/p>\n\n\n\n<ul>\n<li><em>Organizations can create trusted IP address ranges that can be used when making policy decisions.<\/em><\/li>\n\n\n\n<li><em>Administrators can specify entire countries IP ranges to block or allow traffic from.<\/em><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Licensing<\/h2>\n\n\n\n<p>Conditional Access features and security require Azure AD Premium P1<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Named Locations<\/h2>\n\n\n\n<p>You can either create a Conditional Access Policy based on:<\/p>\n\n\n\n<ul>\n<li>Country<\/li>\n\n\n\n<li>IP&#8217;s or IP ranges<\/li>\n\n\n\n<li>Or both<\/li>\n<\/ul>\n\n\n\n<p>In our scenario we will lock down access to company data only for those devices in Canada and also from the users location IP for tracking and auditing purposes.&nbsp;<\/p>\n\n\n\n<p>The Named Location for the IP addresses could be:<\/p>\n\n\n\n<ul>\n<li>The Internal IP address range of your companies internal network<\/li>\n<\/ul>\n\n\n\n<p>OR<\/p>\n\n\n\n<ul>\n<li>The users home IP from their ISP<\/li>\n<\/ul>\n\n\n\n<p><em>Of course the users home IP could change since most ISP&#8217;s provision Dynamic Addresses so it is good to include a Country to prevent issues when these IP&#8217;s do change<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure a Named Location<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Location 1: Canada<\/em><\/h4>\n\n\n\n<ul>\n<li>Login to Azure AD -&gt; Security -&gt; Named Locations<\/li>\n\n\n\n<li>Choose Add New Location<\/li>\n\n\n\n<li>Name your Location &#8220;Canada&#8221;<\/li>\n\n\n\n<li>Select &#8220;Countries\/Regions&#8221; and choose Canada<\/li>\n\n\n\n<li>Select to Create<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Location 2: IP Addresses<\/em><\/h4>\n\n\n\n<ul>\n<li>Login to Azure AD -&gt; Security -&gt; Named Locations<\/li>\n\n\n\n<li>Choose Add New Location<\/li>\n\n\n\n<li>Name your Location &#8220;User IP Addresses&#8221;<\/li>\n\n\n\n<li>Choose IP Ranges<\/li>\n\n\n\n<li>Enter each users IP address with \/32 and enter<\/li>\n\n\n\n<li>Continue to add addresses by selecting the elipses next to address bar<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Conditional Access Policy<\/h3>\n\n\n\n<ul>\n<li>From the Security window select Conditional Access<\/li>\n\n\n\n<li>Select to create a New Policy<\/li>\n\n\n\n<li>Name your location &#8220;Location Restrictions&#8221;<\/li>\n<\/ul>\n\n\n\n<p>Configure the following:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Assignments<\/em><\/h4>\n\n\n\n<p>Include:<\/p>\n\n\n\n<ul>\n<li>Select Users and Groups and choose &#8220;Users and Groups&#8221;<\/li>\n\n\n\n<li>Choose a group of users you wish to apply this policy to<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Cloud Apps or Actions<\/em><\/h4>\n\n\n\n<p>Choose &#8220;All cloud Apps&#8221;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Conditions<\/em><\/h4>\n\n\n\n<ul>\n<li>Device Platforms\n<ul>\n<li>Configure: Yes<\/li>\n\n\n\n<li>Include: Any Device<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Locations\n<ul>\n<li>Configure: Yes<\/li>\n\n\n\n<li>Include: Any Location<\/li>\n\n\n\n<li>Exclude: Choose &#8220;Selected Locations&#8221;<\/li>\n\n\n\n<li>Select the named locations &#8220;User IP Addresses&#8221; and &#8220;Location Restrictions&#8221;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Client Apps\n<ul>\n<li>Configure: Yes<\/li>\n\n\n\n<li>Choose all options<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Access Controls\n<ul>\n<li>Grant(Controls to be enforced): Block Access<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><em>Enable Policy<\/em><\/h4>\n\n\n\n<p>On<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Monitor Activity<\/h2>\n\n\n\n<p>Sign in activity and applied Conditional Access Policies can be reveiwed from:<\/p>\n\n\n\n<ul>\n<li>Azure Active Directory -&gt; Monitoring -&gt; Sign Ins<\/li>\n<\/ul>\n\n\n\n<p>When you select to review a user you can drill down into their exact means of authentication, location, policies applied and result<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Steps to Set Up Conditional Access to Named Locations What? You need\/want to tighten security and protect your company data.&nbsp; So What? Perhaps you see suspicious sign-ins reported in Azure and\/or your users work remotely and sign in from External (unknown) IP&#8217;s.&nbsp; You need to add some security to isolate data access locations without causing &hellip; <a href=\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\"><\/a><\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[12,52,60,77],"tags":[111,240,241,173,202],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam\" \/>\n<meta property=\"og:description\" content=\"Steps to Set Up Conditional Access to Named Locations What? You need\/want to tighten security and protect your company data.&nbsp; So What? Perhaps you see suspicious sign-ins reported in Azure and\/or your users work remotely and sign in from External (unknown) IP&#8217;s.&nbsp; You need to add some security to isolate data access locations without causing &hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\" \/>\n<meta property=\"og:site_name\" content=\"Stephanie Kahlam\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-24T19:32:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-24T18:06:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg\" \/>\n<meta name=\"author\" content=\"Stephanie Kahlam\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stephanie Kahlam\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\",\"url\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\",\"name\":\"Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam\",\"isPartOf\":{\"@id\":\"https:\/\/regroove.ca\/stellark\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg\",\"datePublished\":\"2020-04-24T19:32:58+00:00\",\"dateModified\":\"2023-02-24T18:06:42+00:00\",\"author\":{\"@id\":\"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/175e89cb69612178b2ac838c0bab6149\"},\"breadcrumb\":{\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage\",\"url\":\"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg\",\"contentUrl\":\"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg\",\"width\":300,\"height\":168},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Stellark Home\",\"item\":\"https:\/\/regroove.ca\/stellark\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Conditional Access and Location Restrictions in Azure AD\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/regroove.ca\/stellark\/#website\",\"url\":\"https:\/\/regroove.ca\/stellark\/\",\"name\":\"Stephanie Kahlam\",\"description\":\"Microsoft 365 and SMB.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/regroove.ca\/stellark\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/175e89cb69612178b2ac838c0bab6149\",\"name\":\"Stephanie Kahlam\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/398b95e23dc9eaf37a780b86a239b485?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/398b95e23dc9eaf37a780b86a239b485?s=96&d=mm&r=g\",\"caption\":\"Stephanie Kahlam\"},\"url\":\"https:\/\/regroove.ca\/stellark\/author\/skahlam\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/","og_locale":"en_US","og_type":"article","og_title":"Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam","og_description":"Steps to Set Up Conditional Access to Named Locations What? You need\/want to tighten security and protect your company data.&nbsp; So What? Perhaps you see suspicious sign-ins reported in Azure and\/or your users work remotely and sign in from External (unknown) IP&#8217;s.&nbsp; You need to add some security to isolate data access locations without causing &hellip;","og_url":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/","og_site_name":"Stephanie Kahlam","article_published_time":"2020-04-24T19:32:58+00:00","article_modified_time":"2023-02-24T18:06:42+00:00","og_image":[{"url":"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg"}],"author":"Stephanie Kahlam","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Stephanie Kahlam","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/","url":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/","name":"Conditional Access and Location Restrictions in Azure AD - Stephanie Kahlam","isPartOf":{"@id":"https:\/\/regroove.ca\/stellark\/#website"},"primaryImageOfPage":{"@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage"},"image":{"@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg","datePublished":"2020-04-24T19:32:58+00:00","dateModified":"2023-02-24T18:06:42+00:00","author":{"@id":"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/175e89cb69612178b2ac838c0bab6149"},"breadcrumb":{"@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#primaryimage","url":"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg","contentUrl":"https:\/\/regroove.ca\/stellark\/wp-content\/uploads\/sites\/3\/2020\/04\/images-13.jpg","width":300,"height":168},{"@type":"BreadcrumbList","@id":"https:\/\/regroove.ca\/stellark\/2020\/04\/24\/conditional-access-and-location-restrictions-in-azure-ad\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Stellark Home","item":"https:\/\/regroove.ca\/stellark\/"},{"@type":"ListItem","position":2,"name":"Conditional Access and Location Restrictions in Azure AD"}]},{"@type":"WebSite","@id":"https:\/\/regroove.ca\/stellark\/#website","url":"https:\/\/regroove.ca\/stellark\/","name":"Stephanie Kahlam","description":"Microsoft 365 and SMB.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/regroove.ca\/stellark\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/175e89cb69612178b2ac838c0bab6149","name":"Stephanie Kahlam","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/regroove.ca\/stellark\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/398b95e23dc9eaf37a780b86a239b485?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/398b95e23dc9eaf37a780b86a239b485?s=96&d=mm&r=g","caption":"Stephanie Kahlam"},"url":"https:\/\/regroove.ca\/stellark\/author\/skahlam\/"}]}},"_links":{"self":[{"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/posts\/1039"}],"collection":[{"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/comments?post=1039"}],"version-history":[{"count":4,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/posts\/1039\/revisions"}],"predecessor-version":[{"id":1393,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/posts\/1039\/revisions\/1393"}],"wp:attachment":[{"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/media?parent=1039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/categories?post=1039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regroove.ca\/stellark\/wp-json\/wp\/v2\/tags?post=1039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}