Cloud app conditional access exceptions

Conditional Access App Control works by categorizing IPs (VPN, Anonymous, Botnet, etc.) from threat intelligence.
When you block “VPN” as a category, you block all VPN providers, because NordVPN falls under that same category.
To allow NordVPN specifically, you need to override the blanket block with an exception.

 Recommendation
- Block all VPN/Anonymous IPs using your CA App Control policy (as you’ve done).
If you must allow NordVPN:
- Collect the specific NordVPN exit IPs that your org wants to allow.
- Create a Named Location in Entra ID for them.
- Exclude that Named Location from your block policy.
Document it well because if NordVPN rotates IPs, you’ll need a process to update the list regularly.

Let me know.

Jovan