Conditional Access: Block access by location

With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn't come from.

Note

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Define locations

  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access > Named locations.
  3. Choose New location.
  4. Give your location a name.
  5. Choose IP ranges if you know the specific externally accessible IPv4 address ranges that make up that location or Countries/Regions.
    1. Provide the IP ranges or select the Countries/Regions for the location you're specifying.
      • If you choose Countries/Regions, you can optionally choose to include unknown areas.
  6. Choose Save

More information about the location condition in Conditional Access can be found in the article, What is the location condition in Azure Active Directory Conditional Access

Create a Conditional Access policy

  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  6. Under Cloud apps or actions > Include, and select All cloud apps.
  7. Under Conditions > Location.
    1. Set Configure to Yes
    2. Under Include, select Selected locations
    3. Select the blocked location you created for your organization.
    4. Click Select.
  8. Under Access controls > select Block Access, and click Select.
  9. Confirm your settings and set Enable policy to Report-only.
  10. Select Create to create to enable your policy.

After confirming your settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

Next steps

Conditional Access common policies

Determine impact using Conditional Access report-only mode

Simulate sign in behavior using the Conditional Access What If tool