Conditional Access: Block access by location

With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn't come from. For more information about IPv6 support, see the article IPv6 support in Microsoft Entra ID.

Note

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Prerequisites

None

Define locations

Follow these steps:

  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

  2. Browse to Microsoft Entra ID > Security > Conditional Access > Named locations.

  3. Choose the type of location to create.

    • Countries location or IP ranges location.
  4. Give your location a name.

  5. Provide the IP ranges or select the Countries/Regions for the location you're specifying.

    • If you select IP ranges, you can optionally Mark as trusted location.
    • If you choose Countries/Regions, you can optionally choose to include unknown areas.
  6. Select Create

    More information about the location condition in Conditional Access can be found in the article, What is the location condition in Microsoft Entra Conditional Access