Conditional access policies are, in their most basic form, an if-then statement that combines signals to make decisions and enforce organizational policies.One of these signals is the location.
IPv6 connection to Azure Active Directory (Azure AD)We will start rolling out IPv6 support to Azure AD services gradually starting April 3, 2023. Organizations using named locations in Conditional Access or Identity Protection musttake steps to avoid potential service impact.
Organizations can use this location for common tasks such as:
- Require multi-factor authentication for users who access a service when they are outside the corporate network.
- Block access to users accessing a service from certain countries or territories from which your organization never operates.
The location found using the public IP address that a client provides to Azure Active Directory or GPS coordinates provided by the Microsoft Authenticator app.Conditional Access policies are applied by default to all IPv4 and IPv6 addresses.For more information on IPv6 support, see the articleIPv6 support in Azure Active Directory.
Conditional access policies are applied after completing first factor authentication.Conditional Access is not intended to be an organization's first line of defense for scenarios such as denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
Locations can be found belowAzure Active Directory>Security>conditional access>named placesThese named network locations can include locations such as an organization's headquarters network areas, VPN network areas, or areas that you want to block.Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions.
IPv4 and IPv6 address ranges
To define a named location using IPv4/IPv6 address ranges, specify:
- INNamefor the location.
- One or more IP ranges.
- PossiblyMark as trusted location.
Named locations defined by IPv4/IPv6 address ranges are subject to the following restrictions:
- Configure up to 195 named locations.
- Configure up to 2,000 IP ranges per named location.
- Se admitted rangos Ipvch is Ipvsh.
- The number of IP addresses in a range is limited.CIDR masks greater than /8 are only allowed when defining an IP range.
Places with Areas of your organization's public network can be marked as trusted.This flag is used by functions in various ways.
- Conditional Access policies can include or exclude these locations.
- Logons from trusted named locations improves the accuracy of Azure AD Identity Protection's risk calculation, reducing the risk of a user logon when authenticating from a location marked as trusted.
- Places marked as trusted cannot be deleted.Remove the trusted designation before attempting to remove them.
Even if you know the network and mark it as trusted, that doesn't mean you should exclude it from the applied policies.Verifying explicitly is a basic principle of a Zero Trust architecture.For more information on Zero Trust and other ways to align your organization with the guiding principles, seeZero Trust Guidance Center.
Organizations can determine country/region location using IP address or GPS coordinates.
To define a named place by country/territory, specify:
- INNamefor the location.
- Choose to determine location using IP address or GPS coordinates.
- Add one or more countries/regions.
- optionally chooseInclude unknown countries/regions.
if you chooseDetermine location by IP address, the system collects the IP address of the device on which the user logs in.When a user signs in, Azure AD resolves the IPv4 address oripvshaddress (as of April 3, 2023) to a country or region, and the mapping is updated regularly.Organizations can use named locations defined by countries/regions to block traffic from countries/regions where they do not do business.
if you chooseDetermine location using GPS coordinates, the user must have the Microsoft Authenticator app installed on their mobile device.Every hour, the system communicates with the user's Microsoft Authenticator app to collect the GPS location of the user's mobile device.
The first time the user needs to share their location from the Microsoft Authenticator app, the user receives a notification in the app.The user needs to open the app and grant location permissions.In the next 24 hours, if the user still has access to the resource and has given the app permission to run in the background, the device's location is silently shared once every hour.
- After 24 hours, the user must open the application and approve the notification.
- Users who have additional context or number matching enabled in the Microsoft Authenticator app will not receive silent notifications and will need to open the app to approve notifications.
Every time the user shares their GPS location, the app performs jailbreak detection (using the same logic as the Intune MAM SDK).If the device is jailbroken, the location is considered invalid and the user is denied access.The Microsoft Authenticator app on Android uses the Google Play Integrity API to make jailbreak detection easier.If the Google Play Integrity API is not available, the request is rejected and the user cannot access the requested resource unless the conditional access policy is disabled.
A conditional access policy with GPS-based named locations in Report Only mode requires users to share their GPS location even if they are not prevented from signing in.
GPS location does not work withpasswordless authentication methods.
Multiple Conditional Access policies can ask users for their GPS location before all of them are applied.Due to the way Conditional Access policies are enforced, a user may be denied access if they pass the location check but another policy fails.For more information on how to enforce policies, see the articleBuilding a Conditional Access Policy.
Users can receive hourly notifications that Azure AD is verifying their location in the Authenticator app.Preview should only be used to protect highly sensitive apps where this behavior is acceptable or where access should be restricted to a specific country/region.
Include unknown countries/regions
Some IP addresses are not associated with a specific country or region.Check the box to capture these IP locations.Include unknown countries/regionswhen defining a geographic location.This option allows you to choose whether to include these IP addresses in the named location.Use this option when the policy using the named location should be applied to unknown locations.
- Login inblue portalas conditional access administrator or security administrator.
- navigate toProtection>conditional access>named places.
- ChooseNew location.
- Give your location a name.
- ChooseIP rangesif you know the specific ranges of externally accessible IPv4 addresses that make up this location orCountries/regions.
- Give himIP rangesthe electCountries/regionsfor the location you specify.
- If you choose Countries/regions, you can optionally choose to include unknown areas.
- Give himIP rangesthe electCountries/regionsfor the location you specify.
Location Termination of the policy
When configuring the location mode, you can distinguish between:
- any location
- All trusted locations
- All places with access to the network
- Selected locations
Default is selectedany locationmakes a policy apply to all IP addresses, that is, to any address on the Internet.This configuration is not limited to the IP addresses that you have configured as named location.When you selectany location, you can still exclude certain locations from a policy. Apply a policy to all locations except trusted to set the scope to all locations except the corporate network.
All trusted locations
This option applies to:
- All sites are marked as trusted sites.
- MFA Trusted IPs, if configured.
Multi-factor authentication trusted IPs
It is no longer recommended to use the trusted IPs section of the multi-factor authentication service settings.This control only accepts IPv4 addresses and should only be used for specific scenarios described in the article.Configure settings for Azure AD multi-factor authentication
If you have configured these trusted IPs, they will appear asMFA Trusted IPsin the location list for location mode.
All network access for my tenant
Organizations with access to Global Secure Access preview features have a different placement on the list, which consists of users and devices that comply with your organization's security policies.For more information, see the sectionEnable global secure access signaling for conditional accessIt can be used with conditional access policies to perform compliant network control for access to resources.
This option allows you to select one or more named locations.For a policy with this setting to take effect, a user must connect from one of the selected locations.WhenchooseThe named network selection control opens, displaying the list of named networks.The list also shows if the network location is marked as trusted.
Conditional access policies apply to all IPv4.y ipvshtraffic (as of April 3, 2023).
Identify IPv6 traffic with Azure AD login activity reports
You can detect IPv6 traffic in your tenant by going toAzure AD login activity reports.After opening the activity report, add the "IP Address" column and add a colon (:) to field.This filter helps distinguish IPv6 traffic from IPv4 traffic.
You can also find the client's IP by clicking on a row in the report and then going to the "Location" tab in the login activity details.
The IPv6 addresses of service endpoints can appear in failed login logs due to the way they handle traffic.It's important to put attention onservice endpoints are not supportedIf users see these IPv6 addresses, remove the service endpoint from your virtual network's subnet settings.
what you should know
Cloud Proxy and VPN
When using a cloud-hosted proxy or VPN solution, the IP address that Azure AD uses when evaluating a policy is the proxy IP address.The X-Forwarded-For (XFF) header containing the user's public IP address is not used.Since there is no validation that it is from a trusted source, I would present a method of spoofing an IP address.
Once a cloud proxy is deployed, a policy that requires itAzure AD joined or compliant hybrid deviceit may be easier to manage.Keeping an up-to-date list of IP addresses used by your cloud-hosted proxy or VPN solution can be next to impossible.
We recommend that organizations use Global Secure Access to enablesource IP recoveryto avoid this redirection and simplify administration.
When is a position evaluated?
Conditional access policies are evaluated when:
- Initially, a user signs in to a web, mobile, or desktop application.
- A mobile or desktop app that uses modern authentication uses a refresh token to acquire a new access token.By default, this check is performed once every hour.
This control means that for desktop and mobile apps using modern authentication, a location change is detected within an hour of the network location change.For desktop and mobile apps that don't use modern authentication, the policy applies to every token request.The frequency of the request may vary depending on the application.Similarly, policies for web applications are applied at first login and are valid for the lifetime of the web application session.Due to differences in session lengths between applications, the time between policy evaluations varies Each time the application requests a new login token, the policy is applied.
By default, Azure AD issues a token every hour.When users leave the corporate network, the policy is applied within one hour for apps that use modern authentication.
User IP address
The IP address used in policy evaluation is the user's public IPv4 or IPv6 address.For devices on a private network, this IP address is not the client IP of the user's device on the intranet, it is the address used by the network to connect.the public Internet.
When can you block sites?
A policy that uses the location condition to block access is considered restrictive and should be implemented carefully after extensive testing.Some use cases for the location condition to block authentication may include:
- Block countries/territories where your organization never does business.
- Block specific IP ranges like:
- Known malicious IPs before a firewall policy can be changed.
- For highly sensitive or privileged cloud applications and operations.
- Based on a user-specific IP range, such as access to accounting or payroll applications.
Conditional Access policies are powerful tools. We recommend that you exclude the following accounts from your policies:
- emergency accessobreak glassaccounts to avoid account lockout of the entire tenant.In the unlikely scenario that all administrators are locked out in your tenant, your emergency access administrative account can be used to log in to the tenant and take steps to restore access.
- You can find more information in the article,Manage emergency access accounts in Azure AD.
- service accountsyMaintenance service, such as the Azure AD Connect sync account.Service accounts are non-interactive accounts that are not associated with any particular user.They are typically used by back-end services that allow programmatic access to applications, but are also used to log into systems for administrative purposes.Service accounts like these should be excluded as MFA cannot be done programmatically.Calls made by service administrators will not be blocked by conditional access policies that are directed at users.Use conditional access to workload identities to define the policies that service principles target.
- If your organization has these accounts in use in scripts or code, consider replacing them withmanaged identities.As a workaround, you can exclude these specific accounts from the base policy.
Bulk upload and download of named locations
When creating or updating named locations, for bulk updates, you can upload or download a CSV file with the IP ranges.An upload replaces the IP ranges in the list with the ranges from the file.Each row of the file contains a range of IP addresses in CIDR format.
API and PowerShell support
A preview version of the Graph API is available for named locations;for more information seenamed location API.
- Set up a sample Conditional Access policy using location, see articleConditional Access: block access by location.