Deny M365 Apps access from Untrusted Locations | Intune

Conditional Access is a feature of Microsoft Entra ID that helps organizations improve security and compliance. Conditional access policy includes sets of conditions which user or device must satisfy to access company resources. A conditional access policy can be used to allow or block access to company resources.

In this blog post, we will demonstrate how to deny M365 apps access for the devices from untrusted locations. We will consider two users group, one from India and another from outside India. We will allow o365 app access from India and block the access for the users outside India.

Create Named Locations

We will start by creating Name locations. A Named Location in Conditional Access policies allow enforcement of access control based on device location. The Named Locations can be created based on Country (Determined by IP address / GPS location) and IP address range.

We will create named location based on country.

Follow the below steps to create a named location.

  • In the Intune admin center, navigates to Devices / Conditional Access / Named locations
  • Click on +Countries location
  • In the new flyer window, provide the following details
    • Name: India
    • Select Determine location by IP address (IPv4 and IPv6)
    • Select India from country list
  • Click on Create.

Deny M365 Apps access | Conditional access policies

You can now see the location you created in Name location list. We will use this named location when creating a conditional access policy.

Intune Named locations

Create Conditional Access Policy in Microsoft Intune

Now we will create a conditional access policy to block access for all users. The named location – India will be excluded from the policy. That will block M365 apps access to all users expect the users in India.

Follow the below steps to create a conditional access policy from Microsoft Intune admin center.

  • Log in to Microsoft Intune Admin Center.
  • In the Microsoft Intune admin center page, go to Home > Devices > Conditional Access.
  • In the Overview page, click on +Create new policy.

Intune conditional access overview

In the New – Conditional Access policy page, provide the following details.

  • Name: Deny o365 Apps access from Untrusted locations
  • Under Assignments, select Users
  • Select Include / “Select Users and groups/ Users and groups and select the user or group on which you want to apply conditional access policy.

Intune conditional access policies | New

  • Under the Assignments, select Target resources
  • Select what this policy applies to : Cloud apps
  • Include: Select apps
  • Click on select and choose office 365

Intune conditional access policies

  • Click on Conditions under Assignments, select Locations
  • Set Configure toggle button to Yes
  • Click on Include and select Any Location

Note: This will block the application access from all locations. We will allow the application access from specific location in next steps.

Intune conditional access policies

  • Under the Configure option, click on Exclude tab.
  • Click on Selected Locations radio button and select the location India.

Note: We have excluded India location from conditional access policy. So, application access will blocked for all users except the users in India.

Intune conditional access policies

Under Access Control, select Grant / Block access

Intune conditional access policies

Under the Enable policy, set the toggle button to On and click on Create. See the notification area to confirm successful policy creation.

Intune conditional access policies | enable policy

End User Experience

We tried to access the portal from India. It was accessible without any issue as India location (determined by IP address) was excluded from conditional access policy.

Intune conditional access policies | End user experience

Now same user tried to access the portal from other country. The user was unable to access portal. User received the following message:

You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing from a browser, app or location that is restricted by your admin.

Intune conditional access policies | You cannot access this right now.

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top