Restrict User Access to Specific Devices and Location Using Intune & Conditional Access

Hi AtharvaTheMaverics​

what you’re trying to do is a classic “two locks on the same door” design: one lock is device trust (only managed/compliant devices), the other is network/location trust (only from Mumbai). You can do it with Intune + Entra Conditional Access, but it’s worth being clear about what “location” really means in Conditional Access, because it’s not GPS.

The most reliable best practice is to enforce two gates in Conditional Access: device trust + network/location trust. You do it by making devices Intune compliant (or at least managed), then creating a Conditional Access policy for the target apps that allows access only if the device is marked compliant and the sign-in comes from a Named location.

Important limitation: Conditional Access “location” is mainly IP-based, not GPS. So “Mumbai” needs to mean Mumbai office public IP ranges (or a VPN/SWG egress IP in Mumbai). If users are remote, the usual approach is to require them to connect through a VPN/secure gateway that exits in Mumbai, and only allow that egress.