differences between 2 trusted IP ranges in Azure

John L 21 Reputation points

There are multiple places in Azure one can define trusted IP ranges. Two of them are:

  1. Security Portal\settings\cloud apps\IP address rages
  2. Entra portal \ security \ named locations

What are differences between these 2 lists? Which one is used as factor in assessing risky sign-in? The portal and MS docs says it's "Named Locations", but I was also told it's the first list.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,185 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,341 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee

    @John L

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on risky signin evaluation and different types of IP range configuration within Microsoft defender and Entra ID.

    Please do correct me if this is not the case by responding in the comments section:

    • What are differences between these 2 lists? Which one is used as factor in assessing risky sign-in?

    Named locations are used by Microsoft Entra security reports to reduce false positives and by Microsoft Entra Conditional Access policies. Named Locations that are marked Trusted or configured in Conditional Access Policies cannot be deleted. Learn more

    This is used for evaluating All Azure applications/API access from a certain location or IP and conditional access evaluation.

    Cloud Apps IP range are IP address ranges that allow you to tag, categorize, and customize the way logs and alerts are displayed and investigated. Each group of IP ranges can be categorized based on a preset list of IP categories.

    Built-in IP address tags and custom IP tags are considered hierarchically. Custom IP tags take precedence over built-in IP tags. For instance, if an IP address is tagged as Risky based on threat intelligence but there's a custom IP tag that identifies it as Corporate, the custom category and tags take precedence.

    This is used for evaluating first party or O365/M365 applications from a certain location or IP .

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.


    Akshay Kaushik

    0 comments No comments

  2. Catherine Kyalo 565 Reputation points Microsoft Employee

    Both "IP address ranges" and "Named Locations" can be used to define trusted IP ranges in Azure. However, "Named Locations" is the preferred method as it provides more flexibility and granularity in defining trusted locations.

    "Named Locations" allows you to define a name for a specific location (e.g. "Headquarters") and then specify a range of IP addresses associated with that location. You can also assign a confidence level to the location based on how secure it is (e.g. "High Confidence" for the headquarters office and "Low Confidence" for a coffee shop).

    On the other hand, "IP address ranges" only allows you to specify a range of IP addresses without any additional information or context.

    In terms of assessing risky sign-ins, Azure AD considers both "Named Locations" and "IP address ranges" when evaluating the risk of a sign-in attempt. However, "Named Locations" are given more weight in the risk assessment as they provide more context and granularity.

    Here is the link to the official Microsoft documentation on managing named locations in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-locations

    0 comments No comments