Forum Discussion

GodCordial's avatar
GodCordial
Copper Contributor
Oct 01, 2025
Solved

Conditional Access - Non Entra Devices - Exclude from CA

Hey, We are running CA. Everythings runs good. We have one problem. We have a RDS Terminal Server 2022. Employees log from homeoffice into this server to work with our erp or outlook. So here is the...
  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    Oct 01, 2025

    The Strategy: Exclude by Trusted Location

     If a user is signing in from a trusted corporate network location (like your RDS server's public IP), you can exempt them from the device compliance requirement for that specific sign-in. This allows Outlook on the RDS server to connect, while still enforcing the strict device policy for users signing in from their untrusted home networks.

    Step 1: Identify Your RDS Server's Public IP Address

    First, you need to know the public IP address that your RDS server uses to connect to the internet.

    1. Log in to the RDS Server.
    2. Open a web browser and go to a site like https://www.whatismyip.com or just search for "what is my IP" on Google.
    3. Note down the public IPv4 address. If you have multiple RDS servers in a farm behind a single firewall/NAT, you will likely only have one public IP address for all of them.

    Step 2: Create a "Named Location" in Microsoft Entra ID

    Next, you will define this public IP address as a trusted location within Entra ID (formerly Azure AD ).

    1. Go to the Microsoft Entra admin center (entra.microsoft.com).
    2. Navigate to Protection > Conditional Access.
    3. On the left menu, click on Named locations.
    4. Click + IP ranges location.
    5. Name: Give it a clear and descriptive name, like RDS Server Farm or Main Office Public IP.
    6. Mark as trusted location: Check this box. This is the most important step.
    7. IP Ranges: Click the + icon. Enter the public IP address you found in Step 1. If you have a range, you can enter it using CIDR notation (e.g., 1.2.3.4/32 for a single IP).
    8. Click Add, and then click Create.

    You have now told Entra ID that any authentication request coming from this IP address originates from a trusted corporate location.

    Step 3: Modify Your Conditional Access Policy

    Now, you will edit the specific CA policy that is blocking Outlook. This is typically the policy that enforces "Require compliant device" or "Require Hybrid Azure AD joined device."

    1. In the Conditional Access | Policies blade, find and click on the relevant policy.
    2. Go to the Conditions section.
    3. Click on Locations.
    4. On the Configure tab, set the toggle to Yes.
    5. Under the Include tab, ensure it is set to Any location. This makes the policy apply globally by default.
    6. Now, click on the Exclude tab.
    7. Select Selected locations.
    8. Click on Select locations and check the box next to the Named Location you created in Step 2 (e.g., RDS Server Farm).
    9. Click Select.
    10. Save the changes to your policy.
vimal_raj1984hotmail's avatar
vimal_raj1984hotmail
MCT
Oct 01, 2025

The Strategy: Exclude by Trusted Location

 If a user is signing in from a trusted corporate network location (like your RDS server's public IP), you can exempt them from the device compliance requirement for that specific sign-in. This allows Outlook on the RDS server to connect, while still enforcing the strict device policy for users signing in from their untrusted home networks.

Step 1: Identify Your RDS Server's Public IP Address

First, you need to know the public IP address that your RDS server uses to connect to the internet.

  1. Log in to the RDS Server.
  2. Open a web browser and go to a site like https://www.whatismyip.com or just search for "what is my IP" on Google.
  3. Note down the public IPv4 address. If you have multiple RDS servers in a farm behind a single firewall/NAT, you will likely only have one public IP address for all of them.

Step 2: Create a "Named Location" in Microsoft Entra ID

Next, you will define this public IP address as a trusted location within Entra ID (formerly Azure AD ).

  1. Go to the Microsoft Entra admin center (entra.microsoft.com).
  2. Navigate to Protection > Conditional Access.
  3. On the left menu, click on Named locations.
  4. Click + IP ranges location.
  5. Name: Give it a clear and descriptive name, like RDS Server Farm or Main Office Public IP.
  6. Mark as trusted location: Check this box. This is the most important step.
  7. IP Ranges: Click the + icon. Enter the public IP address you found in Step 1. If you have a range, you can enter it using CIDR notation (e.g., 1.2.3.4/32 for a single IP).
  8. Click Add, and then click Create.

You have now told Entra ID that any authentication request coming from this IP address originates from a trusted corporate location.

Step 3: Modify Your Conditional Access Policy

Now, you will edit the specific CA policy that is blocking Outlook. This is typically the policy that enforces "Require compliant device" or "Require Hybrid Azure AD joined device."

  1. In the Conditional Access | Policies blade, find and click on the relevant policy.
  2. Go to the Conditions section.
  3. Click on Locations.
  4. On the Configure tab, set the toggle to Yes.
  5. Under the Include tab, ensure it is set to Any location. This makes the policy apply globally by default.
  6. Now, click on the Exclude tab.
  7. Select Selected locations.
  8. Click on Select locations and check the box next to the Named Location you created in Step 2 (e.g., RDS Server Farm).
  9. Click Select.
  10. Save the changes to your policy.

Resources