SOLVED

Conditional Access based on location only?

%3CLINGO-SUB%20id%3D%22lingo-sub-160154%22%20slang%3D%22en-US%22%3EConditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160154%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20upgraded%20our%20azure%20a%2Fd%20licenses%20to%20get%20access%20to%20more%20security%20and%20reporting%20in%20azure%20a%2Fd.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20to%20create%20a%20conditional%20access%20policy%20that%20is%20very%20simple.%20I%20want%20to%20allow%20access%20to%20all%20of%20our%20office%20365%20applications%20and%20services%20(e.g.%20outlook%20desktop%20and%20mobile%20client%2C%20sharepoint%20online%2C%20etc...)%20from%20only%20within%20the%20United%20States.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20created%20a%20named%20location%20of%20united%20states%20with%20the%20countries%2Fregions%20set%20to%20united%20states.%20I%20then%20tried%20to%20create%20access%20policy%20with%20a%20test%20user.%20For%20the%20condition%2C%20I%20have%20the%201%20location%20condition%20that%20I%20made%20previously.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20want%20to%20grant%20access%20only%20based%20on%20this.%20We%20use%20MFA%20for%20almost%20all%20office%20365%20users%2C%20but%20not%20100%25%20so%20I%20don't%20want%20to%20set%20any%20of%20these%20other%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20checking%20one%20of%20the%20grant%20access%20additional%20requirements%2C%20the%20Create%20box%20is%20grayed%20out%20%2F%20it%20won't%20let%20me%20create%20the%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20idea%20how%20I%20can%20achieve%20this%20result%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFYI%20this%20is%20just%20a%20starting%20policy%20that%20will%20eliminate%20a%20ton%20of%20our%20login%20attempts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160716%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160716%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that%20was%20the%20correct%20approach.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20anyone%20else%20trying%20to%20do%20this%2C%20I%20created%20a%20named%20location%20of%20united%20states.%26nbsp%3B%20I%20created%20a%20new%20policy%2C%20selected%20all%20cloud%20apps%2C%20set%20conditions%20of%20all%20platforms%2C%20and%20set%20client%20apps%20to%20browser%20and%20mobile%20apps%20and%20desktop%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%20the%20location%20condition%2C%20under%20the%20exclude%20tab%2C%20I%20used%20the%20united%20states%20named%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%2C%20under%20access%20controls%20%26gt%3B%20Grant%2C%20I%20set%20it%20to%20block%20access%20and%20it%20let%20me%20create%20the%20policy.%26nbsp%3B%20I%20tested%20it%20with%20a%20test%20user%20and%20vpn%20outside%20the%20US%20and%20it%20blocked%20access%20as%20expected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160277%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20based%20on%20location%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160277%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jim%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20try%20it%20the%20other%20way%20around%3F%20Create%20a%20Block%20policy%20and%20exclude%20the%20United%20States%20region%3F%20If%20i'm%20not%20mistaken%2C%20that's%20the%20way%20to%20go%20with%20Conditional%20Acces%20Policies%20based%20on%20region%2Flocation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I recently upgraded our azure a/d licenses to get access to more security and reporting in azure a/d.

 

I want to create a conditional access policy that is very simple. I want to allow access to all of our office 365 applications and services (e.g. outlook desktop and mobile client, sharepoint online, etc...) from only within the United States.

 

I created a named location of united states with the countries/regions set to united states. I then tried to create access policy with a test user. For the condition, I have the 1 location condition that I made previously.

 

I then want to grant access only based on this. We use MFA for almost all office 365 users, but not 100% so I don't want to set any of these other requirements.

 

Without checking one of the grant access additional requirements, the Create box is grayed out / it won't let me create the policy.

 

Any idea how I can achieve this result?

 

FYI this is just a starting policy that will eliminate a ton of our login attempts.

2 Replies
Best Response confirmed by Jim Kacerguis (Occasional Contributor)
Solution

Hi Jim,

 

Can you try it the other way around? Create a Block policy and exclude the United States region? If i'm not mistaken, that's the way to go with Conditional Acces Policies based on region/location.

 

Best regards,

Ruud Gijsbers

Yes, that was the correct approach.  Thank you.

 

For anyone else trying to do this, I created a named location of united states.  I created a new policy, selected all cloud apps, set conditions of all platforms, and set client apps to browser and mobile apps and desktop clients.

 

Under the location condition, under the exclude tab, I used the united states named location.

 

Then, under access controls > Grant, I set it to block access and it let me create the policy.  I tested it with a test user and vpn outside the US and it blocked access as expected.