Forum Discussion

AtharvaTheMaverics's avatar
AtharvaTheMaverics
Copper Contributor
Jan 06, 2026

Restrict User Access to Specific Devices and Location Using Intune & Conditional Access

We have a customer requirement to restrict user sign-ins using Intune and Azure AD (Entra ID) Conditional Access. The goal is to allow access only from specific, managed devices and only from a specific geographic location. For example, users should be able to access corporate resources only when signing in from compliant/managed devices and only when located in Mumbai What would be the recommended approach or best practice to achieve this using Conditional Access and Intune? Any guidance on configuration, limitations (e.g., location accuracy), or real-world experiences would be appreciated.

Conditional Acess
Intune

3 Replies

  • Bogdan_Guinea's avatar
    Bogdan_Guinea
    Iron Contributor
    Jan 08, 2026

    AtharvaTheMaverics​ 

    Hi, 

    1. under Conditional Access | Named locations, add your IP range location. You need one for specific cities or locations — if it were a country, this step would be different.
    2. Create the CAP , under Conditions | Locations | Configure | Selected networks and locations -> add you IP Range that you where creating at Step 1.
    3. Under Grant select Grant Acces and mark Require device to be marked as compliant
    4. Test it in Report-Only Mode and Exclude your Emergency Accounts from this Policy
    5. Check theInsights and Reporting in order for you to review his CAP and his impact.

    Good luck!

  • Simone_Termine's avatar
    Simone_Termine
    Brass Contributor
    Jan 08, 2026

    Hi AtharvaTheMaverics​

    what you’re trying to do is a classic “two locks on the same door” design: one lock is device trust (only managed/compliant devices), the other is network/location trust (only from Mumbai). You can do it with Intune + Entra Conditional Access, but it’s worth being clear about what “location” really means in Conditional Access, because it’s not GPS.

    The most reliable best practice is to enforce two gates in Conditional Access: device trust + network/location trust. You do it by making devices Intune compliant (or at least managed), then creating a Conditional Access policy for the target apps that allows access only if the device is marked compliant and the sign-in comes from a Named location.

    Important limitation: Conditional Access “location” is mainly IP-based, not GPS. So “Mumbai” needs to mean Mumbai office public IP ranges (or a VPN/SWG egress IP in Mumbai). If users are remote, the usual approach is to require them to connect through a VPN/secure gateway that exits in Mumbai, and only allow that egress.

  • C_the_S's avatar
    C_the_S
    Bronze Contributor
    Jan 07, 2026

    The hard part is going to be the location access. Though the location data for IPs is about 95% accurate you'd run the risk of someone being in Mumbai and Conditional Access thinking your user is somewhere else. The problem is companies do buy and sell IPs and they can then change location and might take awhile before databases are up-to-date.

    The managed device is a much easier to use conditional access with.

     

    Edit:

    Here's info on using Location in Conditional Access: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-by-location

Resources