I get an error when I try to add a group to a conditional access policy

Myatt Admin 25 Reputation points
2024-08-20T15:52:32.0666667+00:00

M365 Entra ID: When I try to add a group to a conditional access policy it fails with an error: Message from server: the server could not process the request because it is malformed or incorrect. 1040: NamedLocation with id 00000000-0000-0000-0000-00000000000000 does not exist in the directory.

Screenshot 2024-08-19 154102

I've tried this in multiple policies, one that I created new, and one that was already there. I tried different groups, both security and M365. I tried different browsers. I tried different GA accounts. I tried it in different M365 tenants. Same error every time.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,365 questions
0 comments No comments
{count} vote

Accepted answer
  1. Raja Pothuraju 5,255 Reputation points Microsoft Vendor
    2024-08-23T16:45:02.1866667+00:00

    Hello @Myatt Admin,

    Thank you for posting your query on Microsoft Q&A.

    I understand that you're encountering an error when trying to add a group to a Conditional Access policy. The error message reads, "Message from server: the server could not process the request because it is malformed or incorrect. 1040: NamedLocation with id 00000000-0000-0000-0000-00000000000000 does not exist in the directory."

    I want to inform you that this issue was reported by many customers on August 20th. Our Product Group (PG) team identified the problem and has since resolved it. Could you please check if you are still experiencing the same issue?

    User's image

    This issue was triggered for users who were using legacy named locations in their Conditional Access policies. If Multifactor Authentication (MFA) trusted IPs named locations were included in the Conditional Access policy, those policies were affected by this behavior. I suspect that your Conditional Access policy might have included such a named location, which is why you were unable to make any changes.

    Now that the issue has been fixed by the PG team, please check and confirm whether you are now able to successfully make changes to your Conditional Access policy.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,

    Raja Pothuraju.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Asha Kanta Sharma 436 Reputation points
    2024-08-20T15:55:25.85+00:00

    Check Named Locations: Navigate to the Microsoft Entra admin center (or Azure portal) and check the named locations configuration under Security > Conditional Access > Named locations.

    Remove Invalid Named Locations: If you find any named location with an ID of 00000000-0000-0000-0000-000000000000, remove or correct it. This ID represents a placeholder or invalid entry. Inspect Policies: Check all your Conditional Access policies to see if any policy references the invalid named location. Edit Policies: Edit those policies to remove or replace the invalid named location. Ensure that all references to named locations are valid and exist in your directory. Add a New Named Location: If you don’t have any valid named locations or if the existing ones are corrupted, try creating a new named location with proper configurations. Update Policies: After creating a new named location, update your Conditional Access policies to use this new named location.

    0 comments No comments

  2. Myatt Admin 25 Reputation points
    2024-08-23T16:55:02.6433333+00:00

    Thank you. Yes, I can now add the group as expected.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.