SOLVED
Home

Conditional Access based on location only?

%3CLINGO-SUB%20id%3D%22lingo-sub-160154%22%20slang%3D%22en-US%22%3EConditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160154%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20upgraded%20our%20azure%20a%2Fd%20licenses%20to%20get%20access%20to%20more%20security%20and%20reporting%20in%20azure%20a%2Fd.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20to%20create%20a%20conditional%20access%20policy%20that%20is%20very%20simple.%20I%20want%20to%20allow%20access%20to%20all%20of%20our%20office%20365%20applications%20and%20services%20(e.g.%20outlook%20desktop%20and%20mobile%20client%2C%20sharepoint%20online%2C%20etc...)%20from%20only%20within%20the%20United%20States.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20created%20a%20named%20location%20of%20united%20states%20with%20the%20countries%2Fregions%20set%20to%20united%20states.%20I%20then%20tried%20to%20create%20access%20policy%20with%20a%20test%20user.%20For%20the%20condition%2C%20I%20have%20the%201%20location%20condition%20that%20I%20made%20previously.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20want%20to%20grant%20access%20only%20based%20on%20this.%20We%20use%20MFA%20for%20almost%20all%20office%20365%20users%2C%20but%20not%20100%25%20so%20I%20don't%20want%20to%20set%20any%20of%20these%20other%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20checking%20one%20of%20the%20grant%20access%20additional%20requirements%2C%20the%20Create%20box%20is%20grayed%20out%20%2F%20it%20won't%20let%20me%20create%20the%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20idea%20how%20I%20can%20achieve%20this%20result%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFYI%20this%20is%20just%20a%20starting%20policy%20that%20will%20eliminate%20a%20ton%20of%20our%20login%20attempts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160716%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160716%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that%20was%20the%20correct%20approach.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20anyone%20else%20trying%20to%20do%20this%2C%20I%20created%20a%20named%20location%20of%20united%20states.%26nbsp%3B%20I%20created%20a%20new%20policy%2C%20selected%20all%20cloud%20apps%2C%20set%20conditions%20of%20all%20platforms%2C%20and%20set%20client%20apps%20to%20browser%20and%20mobile%20apps%20and%20desktop%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%20the%20location%20condition%2C%20under%20the%20exclude%20tab%2C%20I%20used%20the%20united%20states%20named%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%2C%20under%20access%20controls%20%26gt%3B%20Grant%2C%20I%20set%20it%20to%20block%20access%20and%20it%20let%20me%20create%20the%20policy.%26nbsp%3B%20I%20tested%20it%20with%20a%20test%20user%20and%20vpn%20outside%20the%20US%20and%20it%20blocked%20access%20as%20expected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160277%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160277%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jim%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20try%20it%20the%20other%20way%20around%3F%20Create%20a%20Block%20policy%20and%20exclude%20the%20United%20States%20region%3F%20If%20i'm%20not%20mistaken%2C%20that's%20the%20way%20to%20go%20with%20Conditional%20Acces%20Policies%20based%20on%20region%2Flocation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Jim Kacerguis
Occasional Contributor

I recently upgraded our azure a/d licenses to get access to more security and reporting in azure a/d.

 

I want to create a conditional access policy that is very simple. I want to allow access to all of our office 365 applications and services (e.g. outlook desktop and mobile client, sharepoint online, etc...) from only within the United States.

 

I created a named location of united states with the countries/regions set to united states. I then tried to create access policy with a test user. For the condition, I have the 1 location condition that I made previously.

 

I then want to grant access only based on this. We use MFA for almost all office 365 users, but not 100% so I don't want to set any of these other requirements.

 

Without checking one of the grant access additional requirements, the Create box is grayed out / it won't let me create the policy.

 

Any idea how I can achieve this result?

 

FYI this is just a starting policy that will eliminate a ton of our login attempts.

2 Replies
Solution

Hi Jim,

 

Can you try it the other way around? Create a Block policy and exclude the United States region? If i'm not mistaken, that's the way to go with Conditional Acces Policies based on region/location.

 

Best regards,

Ruud Gijsbers

Yes, that was the correct approach.  Thank you.

 

For anyone else trying to do this, I created a named location of united states.  I created a new policy, selected all cloud apps, set conditions of all platforms, and set client apps to browser and mobile apps and desktop clients.

 

Under the location condition, under the exclude tab, I used the united states named location.

 

Then, under access controls > Grant, I set it to block access and it let me create the policy.  I tested it with a test user and vpn outside the US and it blocked access as expected.

Related Conversations
Conditional Formatting Formulas
jfh117 in Excel on
11 Replies
Conditional policies in Azure AD vs. Intune
Robert Woods in Microsoft Intune on
14 Replies
conditional formatting based on formula description
duco gm mansvelder in Excel on
3 Replies
Device Compliance
Baljit Aujla in Microsoft Intune on
21 Replies
Condition Access Question
Quinn Wade in Microsoft Intune on
1 Replies