Share via

The Conditional Access Policy not working correctly. Network location by ip address restrictions are not applied, why has it stopped working?

Adam 0 Reputation points
2025-02-26T07:12:32.31+00:00

We have a Conditional Access Policy that is no longer working correctly. The Network location restrictions not applied.

This is a MFA Policy that authenticates admin users from specific network locations, now allows access from ANY network location. It is not restricting devices from the network location IPs that we specifically defined in the Network location section, this is therefore a risk. The Policy and definitions have been in place for a long time, and were working up to today. They are no longer working.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,707 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam 0 Reputation points
    2025-02-26T19:14:35.8766667+00:00

    Hi Andy,

    We took extensive sign-in logs, and the specific conditional access policy is applied, but as mentioned the restriction on the ip address range we defined under location (now network) is not. The policy is not working as it should, and it's a mystery on why it STOPPED suddenly respecting the location restrictions by ip address. A separate Block policy we created also uses network location restriction and is also stopped working: a very simple policy that says for these said accounts, block their access UNLESS they are coming from restricted network IP addresses (our company network). It's a simple rule that worked before but suddenly doesn't.

    0 comments
  2. Andy David - MVP 153.7K Reputation points MVP
    2025-02-26T19:19:12.6266667+00:00

    Interesting. I know Microsoft is now enforcing MFA for portal access regardless of location but it sounds like something else is going on here and busted. I think a ticket with Azure support is in order

    :(

  3. Adam 0 Reputation points
    2025-03-04T22:45:17.12+00:00

    Thank you for your comments.

    We worked with Microsoft support and found that by limiting the IPv6 range down to "this host" with the /128 (which means in IPV6 lingo a single host) instead of a higher subnet enabled the policy to function as intended.

    In regards to your comment "highly recommended that you select the "Include unknown areas" checkbox" - I think the usage of this depends on whether you are doing positive or negative logic?

    For example, using a negative logic Block access policy we are saying "Prevent all access from any location EXCEPT from specific IP addresses". In that case, if I understand correctly we would only have very specific IP addresses and not want to risk "include unknown areas" at all. But perhaps for countries, you are right that it may be used in that particular case. Thanks again for your comments!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.