Conditional Access is a feature of Microsoft Entra ID that helps organizations improve security and compliance. Conditional access policy includes sets of conditions which user or device must satisfy to access company resources. A conditional access policy can be used to allow or block access to company resources.
In this blog post, we will demonstrate how to deny M365 apps access for the devices from untrusted locations. We will consider two users group, one from India and another from outside India. We will allow o365 app access from India and block the access for the users outside India.
Create Named Locations
We will start by creating Name locations. A Named Location in Conditional Access policies allow enforcement of access control based on device location. The Named Locations can be created based on Country (Determined by IP address / GPS location) and IP address range.
We will create named location based on country.
Follow the below steps to create a named location.
- In the Intune admin center, navigates to Devices / Conditional Access / Named locations
- Click on +Countries location
- In the new flyer window, provide the following details
- Name: India
- Select Determine location by IP address (IPv4 and IPv6)
- Select India from country list
- Click on Create.
You can now see the location you created in Name location list. We will use this named location when creating a conditional access policy.
Create Conditional Access Policy in Microsoft Intune
Now we will create a conditional access policy to block access for all users. The named location – India will be excluded from the policy. That will block M365 apps access to all users expect the users in India.
Follow the below steps to create a conditional access policy from Microsoft Intune admin center.
- Log in to Microsoft Intune Admin Center.
- In the Microsoft Intune admin center page, go to Home > Devices > Conditional Access.
- In the Overview page, click on +Create new policy.
In the New – Conditional Access policy page, provide the following details.
- Name: Deny o365 Apps access from Untrusted locations
- Under Assignments, select Users
- Select Include / “Select Users and groups” / Users and groups and select the user or group on which you want to apply conditional access policy.
- Under the Assignments, select Target resources
- Select what this policy applies to : Cloud apps
- Include: Select apps
- Click on select and choose office 365
- Click on Conditions under Assignments, select Locations
- Set Configure toggle button to Yes
- Click on Include and select Any Location
Note: This will block the application access from all locations. We will allow the application access from specific location in next steps.
- Under the Configure option, click on Exclude tab.
- Click on Selected Locations radio button and select the location India.
Note: We have excluded India location from conditional access policy. So, application access will blocked for all users except the users in India.
Under Access Control, select Grant / Block access
Under the Enable policy, set the toggle button to On and click on Create. See the notification area to confirm successful policy creation.
End User Experience
We tried to access the office.com portal from India. It was accessible without any issue as India location (determined by IP address) was excluded from conditional access policy.
Now same user tried to access the office.com portal from other country. The user was unable to access office.com portal. User received the following message:
You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing from a browser, app or location that is restricted by your admin.
Related Posts
- Deploying Microsoft 365 Apps Stuck in Downloading in Company Portal
- FeedSpot Top 25 SCCM Blogs to Follow in 2023
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.
