Named locations in Azure give you the ability to target conditional access policies at specific places. For example, you want to use multi-factor authentication but don’t want users to be prompted when they are in the office, which is a trusted location. Or, you have single sign-on configured for an application but want users to only access it from the office.
Named locations work in one of two ways; either a list of IP addresses or GPS data from a phone with the authenticator app installed. If you choose to use GPS data, users will be prompted to give the app permissions, and you can’t narrow it down any further than countries.
If you choose IP addresses, you will need to know the public IP addresses of your network (visit https://ifconfig.io if you are not sure). Bear in mind that you may have multiple address, depending on how your network is configured.
Once you have the IP addresses, you can configure a named location as follows:
- Open Azure and search for Named Locations (or click here)
- Select IP Ranges Location
- Give the location a name
- If you mark this location as trusted, Azure will take it into account when calculating users risk scores, lowering it if it sees the trusted location.
- Enter the IP addresses with the CIDR notation (/32 for a single IP – eg. 188.8.131.52/32)
- Click create
Now you have a trusted location, you can add it to a conditional access policy:
- Open Azure and search for Conditional Access (or click here)
- Select the policy you want to change or click New Policy
- Under the Conditions section, select Locations
- Select the exclude tab, and select Selected Locations
- Select the Location you created previously.
- Click save.
Now that policy will not affect any users logging in from that trusted location.
Another potential use of named locations is to restrict where users can register new security information, such as authentication methods, from. If an attacker gains access to an account, they will look to register a new method to ensure they can keep access. Restricting this to your trusted network only reduces their chance of succeeding.
To block registering new security information from outside your trusted location:
- Create a new conditiaonl access policy
- Include all users, and exclude at least one global admin account
- Under Cloud apps or actions, change the dropdown to User Actions
- Select Register Security Information
- Under Condtions, select Locations
- Select Exclude, and select your trusted location
- Under Grant, select Block Access
As always, it’s a good idea to run the policy in report only mode for a while to gauge the impact.
Leave a Reply