Conditional Access: Block access by location

With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn't come from. For more information about IPv6 support, see the article IPv6 support in Microsoft Entra ID.


Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Define locations

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access > Named locations.
  3. Choose the type of location to create.
    1. Countries location or IP ranges location.
  4. Give your location a name.
  5. Provide the IP ranges or select the Countries/Regions for the location you're specifying.
    • If you select IP ranges, you can optionally Mark as trusted location.
    • If you choose Countries/Regions, you can optionally choose to include unknown areas.
  6. Select Create

More information about the location condition in Conditional Access can be found in the article, What is the location condition in Microsoft Entra Conditional Access

Create a Conditional Access policy

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  6. Under Target resources > Cloud apps > Include, select All cloud apps.
  7. Under Conditions > Location.
    1. Set Configure to Yes
    2. Under Include, select Selected locations
    3. Select the blocked location you created for your organization.
    4. Click Select.
  8. Under Access controls > select Block Access, and click Select.
  9. Confirm your settings and set Enable policy to Report-only.
  10. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Next steps

Conditional Access templates

Determine effect using Conditional Access report-only mode

Use report-only mode for Conditional Access to determine the results of new policy decisions.