Block access by location with Azure AD Conditional Access
You can limit access to users with block access by location to reduce unauthorized access. By using Conditional Access policies, you can apply the right access controls when needed to help keep your organization secure and stay out of your user's way when not needed. Conditional Access analyses signals such as user, device, and location to automate decisions and enforce organizational access policies for resources. For example, when location restrictions are set in a user’s profile and the user tries to sign in from a blocked location, access to customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, Dynamics 365 Project Service Automation), and finance and operations apps are denied. For more information about Conditional Access, see the Conditional Access documentation.
A subscription to Azure Active Directory Premium.
A federated Azure Active Directory tenant. See What is Conditional Access?
Additional security considerations
Block access is only enforced during user authentication. This is done by the Azure Active Directory Conditional Access capability. Customer engagement and finance and operations apps set a session timeout limit to balance protecting user data and the number of times users are prompted for their sign-in credentials. Block access for devices (including laptops) is not applied until the session timeout expires.
For example, block access is set up to only allow access to customer engagement and finance and operations apps when users are working from a corporate office. When a user signs in into customer engagement and finance and operations apps using their laptop from their office and establishes a session, the user can continue to access customer engagement and finance and operations apps after leaving the office until the session timeout expires. This behavior also applies to mobile and offsite connections such as: Dynamics 365 for Phones and Tablets, Dynamics 365 App for Outlook, and finance and operations (Dynamics 365) mobile app.
Create a security group (optional)
You can block access to all Users or groups of users. It's more efficient to restrict by a group if only a subset of your Azure Active Directory (Azure AD) users are accessing customer engagement and finance and operations apps.
For information, see: Create a basic group and add members using Azure Active Directory.
Create a block access by location
Block access by location is set using Azure Active Directory (AD) Conditional Access. For the cloud app, select Common Data Service to control access to customer engagement apps (such as Dynamics 365 Sales and Customer Service), or for the cloud app, select Microsoft Dynamics ERP to control access to finance and operations apps.
Setting Conditional Access is only available with an Azure Active Directory Premium license. Upgrade your Azure AD to a Premium license in the Microsoft 365 admin center (https://admin.microsoft.com > Billing > Purchase services).
To create a block access by location for your users:
- Create a Named location. See Define locations.
- Create a Conditional Access policy. See Create a Conditional Access policy.
For Step 6. Under Cloud apps or actions, select the Microsoft Dataverse application.
For Step 6. Under Cloud apps or actions, select the Microsoft Dynamics ERP for finance and operations application.
How to set Azure AD device-based conditional access policy for access control to Azure AD connected applications
Azure AD Conditional Access docs
Restrict access with Conditional access for finance and operations apps
Submit and view feedback for