question

BrianHFASPS avatar image
0 Votes"
BrianHFASPS asked soumi-MSFT commented

Conditional Access Grant rule based on username and location only no other limiters? Location for IPV6?

I am trying to setup a few simple rules. I work at a school and access is almost all US with a little bit of France. I started by making a block rule for all locations other than US and France. That seems to have worked great. However I now have students a few different countries during school closures. What I wanted to do is create grant rules for specific usernames and locations. It seems the only way to have a grant rule is to add other conditions like MFA. I just want a grant rule with no other limiters beyond username and location.

The other problem is it seems some users are coming in via IPV6 (maybe cell phones) with no location data and are getting blocked. How do I deal with that other than allowing unknown locations?

azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

@BrianHFASPS, Unfortunately, just providing a grant is not possible, along with grant you would have to select one of the options available otherwise the CA policy would not work as expected.

Secondly, there is no way for setting conditions for IPV6 as of now in CA policy. You would have to go by location as a filter using named location.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianHFASPS avatar image
0 Votes"
BrianHFASPS answered soumi-MSFT commented

Thanks for the answers, disappointing I will say. It seems that there should be a way to do grants for specific situations like users traveling without just unblocking the entire country. Is there another way to do what I am trying to do.

The IPV6 issue is more concerning. I just have to let in all IPV6 traffic? So the hackers just have to use IPV6 and they can bypass CA totally? Many of my users are coming inbound via IPV6 on cell phones. This seems bad.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BrianHFASPS, I totally agree with you concern with IPV6. To get some traction, it would be great if you can post the concern here.. This is the feedback page which is looked after by the Product team.

Regarding any alternative for your setup, do allow me sometime time and let me think if anything else can be used that can best fit to your setup and will share that with you in sometime.


0 Votes 0 ·