SOLVED
Home

Conditional Access based on location only?

%3CLINGO-SUB%20id%3D%22lingo-sub-160154%22%20slang%3D%22en-US%22%3EConditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160154%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20upgraded%20our%20azure%20a%2Fd%20licenses%20to%20get%20access%20to%20more%20security%20and%20reporting%20in%20azure%20a%2Fd.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20to%20create%20a%20conditional%20access%20policy%20that%20is%20very%20simple.%20I%20want%20to%20allow%20access%20to%20all%20of%20our%20office%20365%20applications%20and%20services%20(e.g.%20outlook%20desktop%20and%20mobile%20client%2C%20sharepoint%20online%2C%20etc...)%20from%20only%20within%20the%20United%20States.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20created%20a%20named%20location%20of%20united%20states%20with%20the%20countries%2Fregions%20set%20to%20united%20states.%20I%20then%20tried%20to%20create%20access%20policy%20with%20a%20test%20user.%20For%20the%20condition%2C%20I%20have%20the%201%20location%20condition%20that%20I%20made%20previously.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20want%20to%20grant%20access%20only%20based%20on%20this.%20We%20use%20MFA%20for%20almost%20all%20office%20365%20users%2C%20but%20not%20100%25%20so%20I%20don't%20want%20to%20set%20any%20of%20these%20other%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20checking%20one%20of%20the%20grant%20access%20additional%20requirements%2C%20the%20Create%20box%20is%20grayed%20out%20%2F%20it%20won't%20let%20me%20create%20the%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20idea%20how%20I%20can%20achieve%20this%20result%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFYI%20this%20is%20just%20a%20starting%20policy%20that%20will%20eliminate%20a%20ton%20of%20our%20login%20attempts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160716%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160716%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that%20was%20the%20correct%20approach.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20anyone%20else%20trying%20to%20do%20this%2C%20I%20created%20a%20named%20location%20of%20united%20states.%26nbsp%3B%20I%20created%20a%20new%20policy%2C%20selected%20all%20cloud%20apps%2C%20set%20conditions%20of%20all%20platforms%2C%20and%20set%20client%20apps%20to%20browser%20and%20mobile%20apps%20and%20desktop%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%20the%20location%20condition%2C%20under%20the%20exclude%20tab%2C%20I%20used%20the%20united%20states%20named%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%2C%20under%20access%20controls%20%26gt%3B%20Grant%2C%20I%20set%20it%20to%20block%20access%20and%20it%20let%20me%20create%20the%20policy.%26nbsp%3B%20I%20tested%20it%20with%20a%20test%20user%20and%20vpn%20outside%20the%20US%20and%20it%20blocked%20access%20as%20expected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160277%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160277%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jim%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20try%20it%20the%20other%20way%20around%3F%20Create%20a%20Block%20policy%20and%20exclude%20the%20United%20States%20region%3F%20If%20i'm%20not%20mistaken%2C%20that's%20the%20way%20to%20go%20with%20Conditional%20Acces%20Policies%20based%20on%20region%2Flocation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Jim Kacerguis
Occasional Contributor

I recently upgraded our azure a/d licenses to get access to more security and reporting in azure a/d.

 

I want to create a conditional access policy that is very simple. I want to allow access to all of our office 365 applications and services (e.g. outlook desktop and mobile client, sharepoint online, etc...) from only within the United States.

 

I created a named location of united states with the countries/regions set to united states. I then tried to create access policy with a test user. For the condition, I have the 1 location condition that I made previously.

 

I then want to grant access only based on this. We use MFA for almost all office 365 users, but not 100% so I don't want to set any of these other requirements.

 

Without checking one of the grant access additional requirements, the Create box is grayed out / it won't let me create the policy.

 

Any idea how I can achieve this result?

 

FYI this is just a starting policy that will eliminate a ton of our login attempts.

2 Replies
Solution

Hi Jim,

 

Can you try it the other way around? Create a Block policy and exclude the United States region? If i'm not mistaken, that's the way to go with Conditional Acces Policies based on region/location.

 

Best regards,

Ruud Gijsbers

Yes, that was the correct approach.  Thank you.

 

For anyone else trying to do this, I created a named location of united states.  I created a new policy, selected all cloud apps, set conditions of all platforms, and set client apps to browser and mobile apps and desktop clients.

 

Under the location condition, under the exclude tab, I used the united states named location.

 

Then, under access controls > Grant, I set it to block access and it let me create the policy.  I tested it with a test user and vpn outside the US and it blocked access as expected.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
23 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies