cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Conditional Access GPS-based named locations now in public preview
By
Alex Weinert
Published May 19 2021 09:00 AM 23.7K Views
Alex Weinert
Microsoft
‎May 19 2021 09:00 AM

Conditional Access GPS-based named locations now in public preview

‎May 19 2021 09:00 AM

Today, I am excited to share how you can improve your Conditional Access policies and ensure compliance with data regulations thanks to the public preview of GPS-based named locations. This feature helps admins strengthen their security and compliance posture and allows them to restrict access to sensitive apps based on the GPS location of their users.

 

I have asked Olena Huang, a PM on the Identity team, to tell you more. Let us know what you think!

 

Alex Weinert

 

-------------------------------------

 

Hello,

 

With the public preview of GPS-based named locations, admins can refine their Conditional Access policies by determining a user’s location with even more precision.  GPS-based named locations allow you to restrict access to certain resources to the boundaries of a specific country. Due to VPNs and other factors, determining a user’s location from their IP address is not always accurate or reliable. Leveraging GPS signals enables admins to determine a user’s location with higher confidence. This is especially helpful if you have strict compliance regulations that limit where specific data can be accessed.

 

When the feature is enabled, users will be prompted to share their GPS location via the Microsoft Authenticator app during sign-in.

 

 

Create a policy to allow or restrict access based off a user’s GPS location

There are two simple steps:

  1. Create a GPS-based named location.
  2. Create or configure Conditional Access with this named location.

You’ll first need to create a countries named location and select the countries where you want the policy to apply. Configure the named location to determine the location by GPS coordinates instead of by IP address.

 

Named Locations.png

 

 

Next, create a Conditional Access policy to restrict access to selected applications for sign-ins within the boundaries of the named location.

 

New.png

 

 

For more information, check out our admin documentation  or our Graph API documentation.

 

 

Test out the location-sharing experience

First, make sure you have the Microsoft Authenticator app installed and set up with your test account.

 

Next, try to access the files or data restricted by the Conditional Access policy.  You’ll be prompted to share your geolocation from the Authenticator app.

 

Contoso.png

 

The first time you encounter this prompt, you will need to grant location permissions to the Authenticator app.

 

 

iOS

IOS.png

 

Android

Android.png

 

For the next 24 hours, your location will be shared silently once per hour from that device, so you won’t keep getting notifications.

 

After 24 hours, you will be re-prompted when trying to access the same resource. However, you will not need to grant permissions again (unless you’ve disabled them).

 

Authenticator.png

 

 

If you have questions, check out our FAQ page.

 

We’d love to hear from you! Feel free to leave comments below or reach out to us on Twitter.

 

 

 

Learn more about Microsoft identity:

12 Comments
ChristopheHumbert
Bronze Contributor
‎May 19 2021 09:13 AM
‎May 19 2021 09:13 AM

@Alex WeinertNice additions

Two remarks

  • You must be sure that all your users have Authenticator
  • Even in report_only it is prompting/querying for location so beware :)
ReneV14
Copper Contributor
‎May 20 2021 02:15 AM
‎May 20 2021 02:15 AM

@Alex Weinert nice to solve the location challenge!

Can we expect this in the future to be integrated with the Azure AD sign-Ins to also prevent the impossible travel events?

kcears
Copper Contributor
‎May 26 2021 06:13 PM
‎May 26 2021 06:13 PM

Is this susceptible to GPS spoofing apps, or does the Authenticator app check for that?

ChristopheHumbert
Bronze Contributor
‎May 27 2021 08:45 AM
‎May 27 2021 08:45 AM

@ReneV14Could be funny between the location of the device, the location of the proxy and the location of the smartphone :)

0 Likes
Like
Ash_677-1
Microsoft
‎May 28 2021 08:23 AM
‎May 28 2021 08:23 AM

For Android, "Allow this Authenticator to access this device's location?". At first I selected "Allow only while using this app". It did not like that, I couldn't get a screen shot as I am on a managed device. Select the option to allow all the time, which is completely logical for what it needs to do but I wanted to see what I could get away with.

Jim Hill
Brass Contributor
‎Jan 27 2022 11:18 AM
‎Jan 27 2022 11:18 AM

@ReneV14 it is evidently working that way.  I just did a test for one of my test users.  I did have to include the "unknown locations" as the first time I created a plain GPS location it blocked the Azure AD sign in.  

0 Likes
Like
MichaelNielsen
Copper Contributor
‎May 24 2022 03:05 AM
‎May 24 2022 03:05 AM

Are there any plans to enable the option of creating your own location based on specific coordinates? Maybe to narrowing down to specific cities?

 

0 Likes
Like
George Gates
Copper Contributor
‎Aug 07 2022 09:15 AM
‎Aug 07 2022 09:15 AM

Well done on the GPS location setting. This addresses a glaring issue with an elegant fix. 

0 Likes
Like
Peter_Holdridge
Brass Contributor
‎Sep 19 2022 04:36 AM
‎Sep 19 2022 04:36 AM

This doesn't work with passwordless authentication. Why Microsoft? You tell us to go to passwordless and then you take us a step back again. I don't get it.

BlommaertJordy
Microsoft
‎Dec 19 2022 12:28 AM
‎Dec 19 2022 12:28 AM

How is the data handled/stored regarding GPS based location? Some customers ask me this question regarding Data Compliance.

RoseCottrill
Copper Contributor
‎Dec 28 2022 09:31 AM
‎Dec 28 2022 09:31 AM

We are testing this within our IT Team to look for any issues and we have found that although it says once you approve you will not be prompted for 24 hours (and it is supposed to check in in the background) it is still giving us the statement that we must allow location tracking and then going through authentication at which point we can view Teams/OneDrive/Email, etc.

Is anyone else seeing this as well? 

We love that this is available and once every 24 hours is not too much to be prompted, but once every single hour is just annoying and there is no way our users will be able to understand why this is happening. 

 

We all have the location settings for the Authenticator set to Always, one device is BYOD and they are also seeing the same behavior.

0 Likes
Like
Zeeanjola
Copper Contributor
‎Jan 02 2023 03:17 PM
‎Jan 02 2023 03:17 PM

Hello, immediately the GPS coordinate was activated for test users, a few account (credentials) could not authenticate for SMTP(both on port 587 and 25) configuration on sending email directly from printer 

Any work around on this?

0 Likes
Like
Version history
Last update:
‎Aug 19 2021 04:22 PM
Updated by: