This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 89%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETJ%3C/text%3E%3C/svg%3E)
I have a user in Sweden. MFA is enabled on his account but there consistently shows a login from Diamond Bar California. The user claims that he does not use a VPN service and is not logged in during the times that the login log shows. The IP address range is consistent. How can I block the ip address range?
The login audit shows
Multifactor authentication: Status Success
Continuous access evaluation: No
Additional Details: MFA requirement satisfied by claim in the token
Thanks
Ted
Hi Abiola,
Thanks for your answer. In order to use conditional access will all the tenant users require a Microsoft Entra ID P1 license? Is this the only way to block this access?
Thanks
Ted
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello Ted Jones,
Thanks for your question
With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. You can do this by following the steps here: Conditional Access: Block access by location
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
Hi Abiola,
Thanks for you answer. In order to use this feature will all the user of the tenant require a Microsoft Entra ID P1 license?
Thanks
Ted
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
As I understand you want to block a user sign-in from one specific IP range as you are seeing some untrusted sign-ins from few IP addresses for this user.
Yes, you can block this IP range in Entra ID. As Akinbade Abiola mentioned above you can utilize Conditional access feature in Entra ID to block specific IP ranges sign-ins.
Microsoft Entra Conditional Access brings signals together, to make decisions, and enforce organizational policies.
Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action.
Yes, using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.
Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.
You can configure conditional access policy based on IP range. You will have to first create a named location in Entra ID using those required IP ranges.
Post that you can use created named locations in conditional access policies.
Let us know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.