This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
There are multiple places in Azure one can define trusted IP ranges. Two of them are:
What are differences between these 2 lists? Which one is used as factor in assessing risky sign-in? The portal and MS docs says it's "Named Locations", but I was also told it's the first list.
Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on risky signin evaluation and different types of IP range configuration within Microsoft defender and Entra ID.
Please do correct me if this is not the case by responding in the comments section:
Named locations are used by Microsoft Entra security reports to reduce false positives and by Microsoft Entra Conditional Access policies. Named Locations that are marked Trusted or configured in Conditional Access Policies cannot be deleted. Learn more
This is used for evaluating All Azure applications/API access from a certain location or IP and conditional access evaluation.
Cloud Apps IP range are IP address ranges that allow you to tag, categorize, and customize the way logs and alerts are displayed and investigated. Each group of IP ranges can be categorized based on a preset list of IP categories.
Built-in IP address tags and custom IP tags are considered hierarchically. Custom IP tags take precedence over built-in IP tags. For instance, if an IP address is tagged as Risky based on threat intelligence but there's a custom IP tag that identifies it as Corporate, the custom category and tags take precedence.
This is used for evaluating first party or O365/M365 applications from a certain location or IP .
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Both "IP address ranges" and "Named Locations" can be used to define trusted IP ranges in Azure. However, "Named Locations" is the preferred method as it provides more flexibility and granularity in defining trusted locations.
"Named Locations" allows you to define a name for a specific location (e.g. "Headquarters") and then specify a range of IP addresses associated with that location. You can also assign a confidence level to the location based on how secure it is (e.g. "High Confidence" for the headquarters office and "Low Confidence" for a coffee shop).
On the other hand, "IP address ranges" only allows you to specify a range of IP addresses without any additional information or context.
In terms of assessing risky sign-ins, Azure AD considers both "Named Locations" and "IP address ranges" when evaluating the risk of a sign-in attempt. However, "Named Locations" are given more weight in the risk assessment as they provide more context and granularity.
Here is the link to the official Microsoft documentation on managing named locations in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-locations