You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/location-condition.md
+28-13Lines changed: 28 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
-
title: Location condition in Azure Active Directory Conditional Access
3
-
description: Learn about creating location-based Conditional Access policies using Azure AD.
2
+
title: Using networks and countries in Azure Active Directory
3
+
description: Use GPS locations and public IPv4 and IPv6 networks in Conditional Access policy to make access decisions.
4
4
5
5
services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 02/23/2023
9
+
ms.date: 03/17/2023
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -27,13 +27,16 @@ Conditional Access policies are at their most basic an if-then statement combini
27
27
Organizations can use this location for common tasks like:
28
28
29
29
- Requiring multifactor authentication for users accessing a service when they're off the corporate network.
30
-
- Blocking access for users accessing a service from specific countries or regions.
30
+
- Blocking access for users accessing a service from specific countries or regions your organization never operates from.
31
31
32
32
The location found using the public IP address a client provides to Azure Active Directory or GPS coordinates provided by the Microsoft Authenticator app. Conditional Access policies by default apply to all IPv4 and IPv6 addresses. For more information about IPv6 support, see the article [IPv6 support in Azure Active Directory](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).
33
33
34
+
> [!TIP]
35
+
> Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
36
+
34
37
## Named locations
35
38
36
-
Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries.
39
+
Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations contain IPv4 and IPv6 address ranges or countries.
37
40
38
41
39
42
@@ -82,9 +85,7 @@ If you select **Determine location by IP address**, the system collects the IP a
82
85
83
86
If you select **Determine location by GPS coordinates**, the user needs to have the Microsoft Authenticator app installed on their mobile device. Every hour, the system contacts the user’s Microsoft Authenticator app to collect the GPS location of the user’s mobile device.
84
87
85
-
The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions.
86
-
87
-
Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.
88
+
The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions. Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.
88
89
89
90
Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location isn't considered valid, and the user isn't granted access.
90
91
@@ -145,6 +146,12 @@ You can also find the client IP by clicking a row in the report, and then going
145
146
146
147
## What you should know
147
148
149
+
### Cloud proxies and VPNs
150
+
151
+
When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. The X-Forwarded-For (XFF) header that contains the user’s public IP address isn't used because there's no validation that it comes from a trusted source, so would present a method for faking an IP address.
152
+
153
+
When a cloud proxy is in place, a policy that requires a [hybrid Azure AD joined or complaint device](howto-conditional-access-policy-compliant-device.md#create-a-conditional-access-policy) can be easier to manage. Keeping a list of IP addresses used by your cloud hosted proxy or VPN solution up to date can be nearly impossible.
154
+
148
155
### When is a location evaluated?
149
156
150
157
Conditional Access policies are evaluated when:
@@ -160,15 +167,23 @@ By default, Azure AD issues a token on an hourly basis. After users move off the
160
167
161
168
The IP address used in policy evaluation is the public IPv4 or IPv6 address of the user. For devices on a private network, this IP address isn't the client IP of the user’s device on the intranet, it's the address used by the network to connect to the public internet.
162
169
163
-
### Bulk uploading and downloading of named locations
170
+
### When you might block locations?
164
171
165
-
When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. An upload replaces the IP ranges in the list with those ranges from the file. Each row of the file contains one IP Address range in CIDR format.
172
+
A policy that uses the location condition to block access is considered restrictive, and should be done with care after thorough testing. Some instances of using the location condition to block authentication may include:
166
173
167
-
### Cloud proxies and VPNs
174
+
- Blocking countries where your organization never does business.
175
+
- Blocking specific IP ranges like:
176
+
- Known malicious IPs before a firewall policy can be changed.
177
+
- For highly sensitive or privileged actions and cloud applications.
178
+
- Based on user specific IP range like access to accounting or payroll applications.
168
179
169
-
When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. The X-Forwarded-For (XFF) header that contains the user’s public IP address isn't used because there's no validation that it comes from a trusted source, so would present a method for faking an IP address.
When a cloud proxy is in place, a policy that requires a hybrid Azure AD joined device can be used, or the inside corpnet claim from AD FS.
184
+
### Bulk uploading and downloading of named locations
185
+
186
+
When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. An upload replaces the IP ranges in the list with those ranges from the file. Each row of the file contains one IP Address range in CIDR format.
0 commit comments