Configuring Conditional Access Policy to Restrict Access From Specific IP or Location

Conditional access is a set of policy configurations which controls what devices and users can have access to different applications. Specifically talking about Microsoft environment, conditional access policies work with Office 365 and other Software-as-a-Service (SaaS) applications configured in Azure Active Directory.

In simplest term, conditional access policies are if-then statements i.e., if a condition is met, then the necessary action can be taken for that condition. Example: A user wants to access any Office 365 application and is required to perform multi-factor authentication (MFA) to access it.

In this blog, I will demonstrate how to restrict access to different applications from different IP addresses based upon the location of the offices.

Consider that there are three physical offices of an organization, one in USA, one in Canada and one in India. Each office has two different Internet Service Providers where each ISP provides 5 static public IPs to the office location. This means that a single office is provided with a total of 10 public IPs. Based on this setup we will implement the following scenarios:

• SharePoint Online should be accessible through US office location and restricted for Canada and India.
• Exchange Online should be accessible through Canada office location and restricted for US and India.
• PowerBI should be accessible through India office location and restricted for Canada and US.
• Users should not be prompted for Multi Factor Authentication if they are coming from known office locations.

Note: This is just an arbitrary scenario for our demo purposes for writing this blog to showcase the capabilities. You can learn the implementation aspect and tweak your scenarios according to your requirements.

• An active Azure subscription with Global Administrator role.
• At least an Azure AD premium P1 license, if additional enhanced and security features are required you can compare the licenses here.
• Three non-administrator test users whose password you know.

Before setting up our conditional access policy, we need to define named locations. This can be done by logging into Azure portal under Azure Active Directory > Security > Conditional Access > Named Locations.

We will configure three named locations by adding public IP addresses of the respective offices:

Note: - We are taking arbitrary IPs in this case by picking a range from defined public IP addresses range for all the three countries. If you are implementing for your scenario, make sure to change the IP addresses according to your requirements.

For restricting access from a specific IP address range, click on ‘IP ranges location’ to add an IP address range from where you want to block or restrict access to your application.

To define a named location by IPv4/IPv6 address, one needs to provide:

• A Name for the location
• One or more IP (IPv4 or IPv6) ranges (in CIDR notation)

Login to Azure Portal, then navigate to Azure Active Directory > Security > Conditional Access > Named Locations.

     1. Click on ‘IP ranges location’ to add IPs and enter the name of the Location as shown below:

     2. Click on ‘+’ button to add IP address in CIDR format and click Add, to add more than one IP click on plus button again.

     4. Finally click on create and you will have your IP ranges and your location defined.

We have configured and shown the named location only for Canada. Adding IP range would be the same procedure for USA as well as India as shown above.

To grant access from the given set of public IP addresses without requiring multi factor authentication, we will add range of IPs for trusted MFA’s specifically.

To configure MFA trusted IPs, login to Azure Portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs.

1. Once you click on ‘Configure MFA trusted IPs’, you will be prompted to a new page where the required configurations can be done. Enter IPs in the text field area.

2. Click Save.

As a result, the users trying to access application from the IPs defined in the trusted range will skip MFA and will be granted access by only entering their username and password.

We can restrict access with respect to country as well. But in our situation, it is not required as we have already setup the named location for IP addresses. All other IP’s or countries will be restricted access automatically. Therefore, there is no need to setup the named location for country.

Defining named location for country varies from case to case, still I will be showing how you can configure it if required. For restricting/allowing access from a country, we will first go to named locations and then click on ‘countries location’ to add countries.

To define a named location by country, login to azure portal > Azure Active Directory > Security > Conditional Access > Named Locations > Configure MFA Trusted IPs. an individual needs to enter:

1. Name of the location/country.

     2. Select the country/countries you wish to block/allow access and click Create.

Now that we have setup the named locations for IP address, we will be configuring the conditional access policy. To create a new conditional access policy, login and go to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies.

To configure a conditional access policy, we need to define:

• A name for the Policy
• Which users this policy needs to be assigned to
• Select an application on which action will be performed.
• Conditions which will apply
• Access Controls
  • Grant or Block Access
  • Session to configure sign-in frequency and using app enforced restrictions.

Note: Make sure that you do not assign the policy to all users and administrators at once. Always assign the policy to some users with no assigned roles first, enable policy in Report-only mode to test and make sure the policy works as expected. Otherwise, you have the potential to lock yourself out.

To know more about all other components, you can check out the Microsoft’s official conditional access documentation.

     1. Log in to azure, go to Azure Active Directory > Security > Conditional Access > Policies. Click ‘New Policy’ to create a new conditional access policy.

     3. Name the policy.

     4. Select the user(s) to whom this policy should be applied.

Users and Groups > Select users and groups > search a name of user/group. Click Select.

     5. Select the condition for location.

         i. Click on Condition.

        ii. Click Location

        iii. Select yes to configure (i.e., include/exclude locations from this policy).

     6. Include location.

Select any location.

     7. Exclude the named locations.

Selected Locations Name: USA

     8. Under Access Controls, Block Access.

Select ‘Block Access’ radio button.

     7. All configurations are done, now we need to enable and create the policy.

Enable Policy: Report-Only or On

Click Create

Simply put, this whole configuration means that if specified users are trying to access SharePoint Online from any other location than USA, they will not be granted access.

Similarly, in this case, we did the same configurations as previous one with the difference that here the application is Exchange Online, we are excluding ‘Canada’ and including both ‘India and USA’. This policy will allow users in Canada office to access Exchange Online whereas users of India and USA will be restricted from accessing it.

Equivalently, the same configuration with the difference being that application this time is PowerBI service, we are excluding ‘India’ whereas including ‘USA & Canada’ under locations. As a result, this policy will allow users in India office to have access to PowerBI service and the employees of USA and Canada would not.

Let us try to access SharePoint Online from USA, Canada, and India. As per the policy created by us, one should be granted access while trying to access the application from USA office network. Whereas the access should be restricted for users trying to access it from Canada and India offices.

• Accessing SharePoint Online from USA office network:

           SharePoint Online is accessible

• Accessing SharePoint Online from India and Canada office:

SharePoint Online access is restricted.

• Accessing Exchange Online from Canada office:

• Accessing Exchange Online from India and USA office:

• Accessing PowerBI Service from India Office:

• Accessing PowerBI Service from USA and Canada Office:

Users trying to access Exchange Online (from Canada office), and PowerBI service (from India office) consequently, will be allowed to sign into the applications. Contrarily, if they trying to sign into Exchange Online (from USA or India office), and PowerBI service (from USA or Canada office), they will be shown a common error message.

Therefore, the policy is successfully implemented, and we secured access to the applications from defined locations only. Access from all other locations and IPs not defined is blocked.

What if someone tries to access applications from any other non-windows device? The error message would remain the same except the changes in the user interface.