Merge pull request #231232 from MicrosoftGuyJFlo/IPv6LocationUpdatePG

[Azure AD] IPv6 Updates March

Author: Court72

articles/active-directory/conditional-access/location-condition.md

@@ -1,12 +1,12 @@
 ---
-title: Location condition in Azure Active Directory Conditional Access
-description: Learn about creating location-based Conditional Access policies using Azure AD.
+title: Using networks and countries in Azure Active Directory
+description: Use GPS locations and public IPv4 and IPv6 networks in Conditional Access policy to make access decisions.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/23/2023
+ms.date: 03/17/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -27,10 +27,13 @@ Conditional Access policies are at their most basic an if-then statement combini
 Organizations can use this location for common tasks like: 
 
 - Requiring multifactor authentication for users accessing a service when they're off the corporate network.
-- Blocking access for users accessing a service from specific countries or regions.
+- Blocking access for users accessing a service from specific countries or regions your organization never operates from.
 
 The location found using the public IP address a client provides to Azure Active Directory or GPS coordinates provided by the Microsoft Authenticator app. Conditional Access policies by default apply to all IPv4 and IPv6 addresses. For more information about IPv6 support, see the article [IPv6 support in Azure Active Directory](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).
 
+> [!TIP]
+> Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
+
 ## Named locations
 
 Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. 
@@ -81,9 +84,7 @@ If you select **Determine location by IP address**, the system collects the IP a
 
 If you select **Determine location by GPS coordinates**, the user needs to have the Microsoft Authenticator app installed on their mobile device. Every hour, the system contacts the user’s Microsoft Authenticator app to collect the GPS location of the user’s mobile device.
 
-The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions.
-
-Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.
+The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions. Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.
 
 Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location isn't considered valid, and the user isn't granted access. 
 
@@ -144,6 +145,12 @@ You can also find the client IP by clicking a row in the report, and then going
 
 ## What you should know
 
+### Cloud proxies and VPNs
+
+When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. The X-Forwarded-For (XFF) header that contains the user’s public IP address isn't used because there's no validation that it comes from a trusted source, so would present a method for faking an IP address.
+
+When a cloud proxy is in place, a policy that requires a [hybrid Azure AD joined or compliant device](howto-conditional-access-policy-compliant-device.md#create-a-conditional-access-policy) can be easier to manage. Keeping a list of IP addresses used by your cloud hosted proxy or VPN solution up to date can be nearly impossible.
+
 ### When is a location evaluated?
 
 Conditional Access policies are evaluated when:
@@ -159,15 +166,23 @@ By default, Azure AD issues a token on an hourly basis. After users move off the
 
 The IP address used in policy evaluation is the public IPv4 or IPv6 address of the user. For devices on a private network, this IP address isn't the client IP of the user’s device on the intranet, it's the address used by the network to connect to the public internet.
 
-### Bulk uploading and downloading of named locations
+### When you might block locations?
 
-When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. An upload replaces the IP ranges in the list with those ranges from the file. Each row of the file contains one IP Address range in CIDR format.
+A policy that uses the location condition to block access is considered restrictive, and should be done with care after thorough testing. Some instances of using the location condition to block authentication may include:
 
-### Cloud proxies and VPNs
+- Blocking countries where your organization never does business.
+- Blocking specific IP ranges like:
+   - Known malicious IPs before a firewall policy can be changed.
+   - For highly sensitive or privileged actions and cloud applications.
+   - Based on user specific IP range like access to accounting or payroll applications.
 
-When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. The X-Forwarded-For (XFF) header that contains the user’s public IP address isn't used because there's no validation that it comes from a trusted source, so would present a method for faking an IP address.
+### User exclusions
+
+[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
 
-When a cloud proxy is in place, a policy that requires a hybrid Azure AD joined device can be used, or the inside corpnet claim from AD FS.
+### Bulk uploading and downloading of named locations
+
+When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. An upload replaces the IP ranges in the list with those ranges from the file. Each row of the file contains one IP Address range in CIDR format.
 
 ### API support and PowerShell