![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
25,149 questions
Hello @Vishesh Jain,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you're trying to block access to resources when users are outside of your office network, while allowing access from within the office network.
To achieve this, you can create a conditional access policy that blocks access for users outside your office network by excluding your office network's IP ranges. Before creating the conditional access policy, you’ll need to create a named location policy and add your office network’s IP ranges.
Follow these steps:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access > Named locations.
- Choose the type of location to create >> IP ranges location.
- Give your location a name.
- Provide the IP ranges, you can optionally Mark as trusted location.
- Select Create
Note: You must provide a named location by public IPv4 or IPv6 address ranges. For devices on a private network, the IP address isn't the client IP of the user’s device on the intranet (like 10.55.99.3), it's the address used by the network to connect to the public internet (like 198.51.100.3). Please refer below document for more information.
If you would like to know your public IP address, please do check with your ISP or search for what is my IP on Google Search, you’ll get the IP address of the computer or device where you did the search.
Now follow the below steps to create block conditional access policy:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access > Policies.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include, select All cloud apps.
- Under Network.
- Set Configure to Yes
- Under Include, select Any network or location
- Under Exclude, Select Selected networks and locations
- Select the named location you created for your organization network.
- Click Select.
- Under Access controls > select Block Access and click Select.
- Confirm your settings and set Enable policy to On.
- Select Create to create to enable your policy. After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
Note: For testing, it's always recommended to apply the policy to a test user first. Once confirmed, you can include additional users as needed.
Caution: Misconfiguring a block policy can lead to organizations being locked out, so be sure to test thoroughly.
For more details, refer to the documentation:
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
