top of page
  • Writer's pictureMichael Tobin

"Network" in Conditional Access

Microsoft have renamed "Locations" to "Network" in Entra ID Conditional Access, this is most likely in response to the fact that many users were adding external corporate IP addresses into the Named Locations (SD-WAN External IPs, VPN IPs etc) along with the country the organisation operates in. Along with the rename comes some additional updates to support corporate networks.

Having your Conditional Access policies configured correctly is very important, never forget, Identity is the modern day perimeter.

Below are the key features:

  • Compliant Network Check: The Global Secure Access introduces the concept of a compliant network within Conditional Access and continuous access evaluation. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators. This feature makes it easier for administrators to manage and maintain, without having to maintain a list of all of an organization's locations IP addresses. (This is in Preview and requires Global Secure Access Enabling) Some more on that here: Enable compliant network check with Conditional Access - Global Secure Access | Microsoft Learn

  • Named Locations: Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. These named network locations might include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block.

  • Trusted Locations: Locations such as your organization's public network ranges can be marked as trusted. Sign-ins from trusted named locations improve the accuracy of Microsoft Entra ID Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted.

  • Location Condition in Policy: One of the signals in Conditional Access policies is location. Organizations can use these locations for common tasks like requiring multifactor authentication for users accessing a service when they're off the corporate network, or blocking access for users accessing a service from specific countries or regions your organization never operates from.

You can find out how to configure a Network Policy here: Network in Conditional Access policy - Microsoft Entra ID | Microsoft Learn



bottom of page