This chapter covers Named Locations and Conditional Access Policies in Azure AD, a critical topic for the AZ-104 exam. You will learn how to define trusted and untrusted network locations, and how to enforce access controls based on those locations. Questions on this topic appear in approximately 10-15% of AZ-104 exams, often as part of identity governance scenarios. Mastery of these concepts is essential for implementing secure access policies in enterprise environments.
Jump to a section
Imagine a high-end nightclub with multiple entrance points: a main door, a VIP alley, and a backstage entrance. The club owner wants to allow entry only from specific locations based on the guest's status. The bouncer at each entrance has a list of allowed IP ranges (e.g., main door allows all, VIP alley allows only known celebrities' IPs). When a guest arrives, the bouncer checks the guest's ID (user identity) and the entrance they used (source IP). If the guest is a celebrity but tries to enter through the backstage entrance (which is restricted to staff only), the bouncer denies entry. The club also has a 'known' list of trusted locations (e.g., corporate office IPs) where any employee can enter without further checks. However, if an employee tries to enter from an unknown location (e.g., a coffee shop IP), the bouncer might ask for additional verification (MFA). The bouncer's decision is based on a policy that says: "If location is trusted, allow; if location is untrusted, require MFA." This is exactly how Named Locations and Conditional Access work in Azure AD: Named Locations define IP ranges or countries that are considered trusted or untrusted. Conditional Access policies then evaluate the user's location against these named locations to grant access, block access, or require additional controls like MFA.
What Are Named Locations and Conditional Access Policies?
Named Locations in Azure Active Directory (Azure AD) are defined sets of IP address ranges or countries/regions that you can use to create rules in Conditional Access policies. They allow you to identify trusted or untrusted network locations where users sign in from. Conditional Access policies are the engine that enforces access controls based on signals like user, device, location, and application. Together, they enable granular access decisions beyond simple username and password.
Why They Exist
In a zero-trust security model, you cannot assume that a user is safe just because they have the correct password. You need to consider where they are connecting from. For example, a sign-in from a corporate office IP range may be considered low-risk, while a sign-in from an anonymous proxy IP is high-risk. Named Locations allow you to categorize these IP ranges and countries, and Conditional Access policies use those categories to require additional verification (like MFA) or block access entirely.
How Named Locations Work Internally
When a user attempts to sign in, Azure AD evaluates the request. The source IP address of the authentication request is extracted from the HTTP headers. This IP is then compared against all defined Named Locations. Each Named Location is either an IPv4/IPv6 CIDR range or a country/region. Azure AD supports up to 195 named locations per tenant, with each location containing up to 1200 IP ranges. The evaluation happens in real-time during authentication.
Key components: - IP Ranges: You define IPv4 or IPv6 CIDR blocks. For example, 203.0.113.0/24. These are the actual network addresses of your corporate offices or VPN exit points. - Countries/Regions: You can select one or more countries from a predefined list. Azure AD uses the IP-to-location mapping from Microsoft's geo-IP database, which is updated regularly. - Mark as trusted location: A boolean flag. If checked, the location is considered trusted. This is used in Conditional Access policies to allow or require less stringent controls.
How Conditional Access Policies Work
A Conditional Access policy is an if-then statement: if a condition is met, then apply access controls. Conditions include user/group membership, cloud app assignment, device state (compliant or hybrid Azure AD joined), location (via Named Locations), client app type, sign-in risk, and more. Access controls can be: - Block access: Deny sign-in entirely. - Grant access: Require MFA, require device to be marked as compliant, require hybrid Azure AD joined device, require approved client app, require app protection policy, or require password change. - Session controls: Use app-enforced restrictions, Conditional Access App Control, sign-in frequency, persistent browser session.
Evaluation Flow
User attempts to access a cloud app (e.g., Office 365).
Azure AD receives the authentication request with the user's IP.
Azure AD evaluates all Conditional Access policies that apply to the user and app.
For each policy, it checks the location condition:
- If the policy includes a location condition, it compares the user's IP against Named Locations. - If the IP falls within an IP range of a Named Location, that location is considered the user's location. - If the IP maps to a country that is in a Named Location, that country location applies. 5. The policy then checks if the location is included or excluded. For example, a policy might say "Apply to all locations except trusted ones." 6. If the policy applies, the specified access controls are enforced. 7. If multiple policies apply, all grant controls must be satisfied (AND logic). If any policy blocks, block wins.
Default Values and Timers
Named Locations: Max 195 per tenant, 1200 IP ranges per location.
Conditional Access policies: Max 195 per tenant.
Session controls: Sign-in frequency can be set from 1 hour to 365 days. Persistent browser session can be set to never or always.
Report-only mode: Policies can be enabled in report-only mode to test impact before enforcement.
Configuration and Verification Commands
Named Locations can be configured via Azure portal (Azure AD > Security > Conditional Access > Named locations) or via PowerShell. Example PowerShell:
# Create a named location with IP ranges
$ipRanges = New-Object -TypeName Microsoft.Open.MSGraph.Model.IpRange
$ipRanges.CidrAddress = "192.168.1.0/24"
$location = New-Object -TypeName Microsoft.Open.MSGraph.Model.NamedLocation
$location.DisplayName = "Corporate Office"
$location.IpRanges = @($ipRanges)
$location.IsTrusted = $true
New-MgPolicyNamedLocation -BodyParameter $locationConditional Access policies can be created via portal or PowerShell. Example using Microsoft Graph PowerShell:
# Create a Conditional Access policy requiring MFA for all users from untrusted locations
$params = @{
displayName = "Require MFA from untrusted locations"
state = "enabled"
conditions = @{
locations = @{
includeLocations = @("All")
excludeLocations = @("TrustedLocationsID")
}
}
grantControls = @{
builtInControls = @("mfa")
operator = "OR"
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsInteraction with Related Technologies
Named Locations and Conditional Access work closely with: - Azure AD Identity Protection: Sign-in risk and user risk can be used as conditions. For example, if a sign-in comes from an untrusted location and has medium risk, require MFA. - Azure AD MFA: Conditional Access is the primary way to enforce MFA. You can require MFA based on location. - Device compliance (Intune): You can require a device to be compliant or hybrid Azure AD joined. Location can be combined: from trusted locations, allow access without compliance; from untrusted, require compliance. - Azure AD B2B: Guest users can be subject to Conditional Access policies based on their location. - Azure AD Join/Hybrid Join: Device state is a condition. For example, only allow access from hybrid joined devices when coming from untrusted locations.
Exam-Relevant Details
Named Locations are not just IP ranges; they can also be countries. But note that country-based location is less precise because IP geolocation can be inaccurate.
When you mark a location as trusted, it is automatically excluded from policies that target "All locations" unless you explicitly include it.
The order of policy evaluation is not configurable; all policies are evaluated and if any block, access is blocked. Grant controls are aggregated with AND logic.
You can use "All trusted locations" or "All untrusted locations" as shortcuts in location conditions.
The "Any location" option includes all IP addresses, even those not in any named location.
If a user's IP cannot be mapped to any named location, it falls into "Any location" but not into "All trusted" or "All untrusted" unless you define a catch-all location.
For Conditional Access, the location is determined at initial authentication. If the user's IP changes during a session (e.g., roaming), the policy is not re-evaluated until a new sign-in or a session refresh.
Advanced: IPv6 and Named Locations
Azure AD supports IPv6 ranges in Named Locations. However, many organizations still use IPv4. When configuring, ensure you include both IPv4 and IPv6 ranges if your corporate network uses IPv6. The evaluation logic is the same.
Common Misconfiguration
A frequent mistake is not marking a corporate IP range as trusted. This causes Conditional Access policies that block untrusted locations to also block corporate users. Always mark your known corporate IP ranges as trusted locations.
Another mistake is using countries for location control without understanding that VPNs and proxies can mask the true location. For example, a user in a restricted country might use a VPN to appear in a trusted country. Conditional Access cannot detect VPNs unless you use additional signals like sign-in risk.
Summary of Mechanism
Named Locations provide a way to label IP ranges and countries. Conditional Access policies use these labels to make access decisions. The decision is binary: allow (with or without controls) or block. The evaluation is done at sign-in time and is based on the source IP of the authentication request. Policies are applied in a cumulative manner, with block policies taking precedence.
Identify Corporate IP Ranges
Work with your network team to obtain all public IP ranges used by your organization. This includes office networks, VPN exit points, and data center IPs. For each range, note if it is a trusted network (e.g., corporate office) or an untrusted one (e.g., guest Wi-Fi). You will need these to create named locations. Typically, corporate IPs are aggregated into larger CIDR blocks to reduce the number of entries. For example, if you have multiple offices, you might create a single named location 'Corporate Network' containing all office IP ranges.
Create Named Locations in Azure AD
In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access > Named locations. Click 'New location'. Choose either 'IP ranges location' or 'Countries location'. For IP ranges, enter a name (e.g., 'Corporate HQ') and add one or more CIDR ranges. You can also mark the location as trusted by checking 'Mark as trusted location'. For countries, select the countries from the list. Note that you cannot mark a country location as trusted; only IP ranges can be trusted. Save the location. Repeat for all distinct network segments you want to control.
Define Conditional Access Policy Conditions
Go to Azure AD > Security > Conditional Access > Policies and click 'New policy'. Give it a name. Under 'Assignments', specify users/groups (e.g., all users) and cloud apps (e.g., Office 365). Under 'Conditions', click 'Locations'. Configure 'Include' to select which locations the policy applies to. For example, you can choose 'Any location' or 'All trusted locations' or 'All untrusted locations' or specific named locations. You can also exclude locations (e.g., exclude 'Corporate HQ'). Other conditions like device state or sign-in risk can be added as needed.
Configure Access Controls
Under 'Access controls', choose 'Grant'. Here you can require MFA, device compliance, etc. For a typical policy requiring MFA from untrusted locations, select 'Require multi-factor authentication'. You can also choose 'Require device to be marked as compliant' or 'Require hybrid Azure AD joined device'. Under 'Session', you can set sign-in frequency or persistent browser session. For example, from untrusted locations, you might require MFA every 1 hour. For trusted locations, you might set a longer session.
Enable Policy in Report-Only Mode
Before enabling a policy, it is recommended to set the policy to 'Report-only' mode. This allows you to see the impact of the policy without blocking users. In the policy, under 'Enable policy', select 'Report-only'. Then use the 'What If' tool to test the policy with a specific user, app, and location. You can also view sign-in logs to see where the policy would have applied. After verifying that the policy behaves as expected, change the state to 'On' to enforce it.
Monitor and Troubleshoot
After enabling the policy, monitor sign-in logs for failures. Look for error code 53003 (blocked by Conditional Access) or 53000 (MFA required). If users are being blocked unexpectedly, check if their IP is in the correct named location. Use the 'What If' tool to simulate their sign-in. Also, check that the named location IP ranges are accurate. If a user's IP changes (e.g., they are roaming), ensure the policy accounts for that. You can also use Azure AD Identity Protection to correlate sign-in risk with location.
Enterprise Scenario 1: MFA for Remote Workers
A multinational company with 50,000 employees wants to enforce MFA for all users accessing Office 365 from outside the corporate network. The corporate network consists of 10 offices worldwide, each with its own public IP range. The network team provides the IP ranges for each office. The Azure AD admin creates a named location called 'Corporate Network' with all these IP ranges and marks it as trusted. Then, they create a Conditional Access policy that applies to all users and all cloud apps, with location condition set to 'All untrusted locations', and grant control requiring MFA. They also exclude the 'Corporate Network' location from the policy. This ensures that users on the corporate network sign in without MFA, while remote users must use MFA. The policy is first tested in report-only mode for a week, and sign-in logs are reviewed to ensure no false positives. After enabling, MFA enrollment is enforced for all remote users. The company also uses Azure AD Identity Protection to detect risky sign-ins and block them if they come from untrusted locations with high risk.
Enterprise Scenario 2: Blocking Access from Unauthorized Countries
A financial services firm operates only in the United States and Canada. They want to block all access to their cloud apps from other countries. They create a named location of type 'Countries' and select 'United States' and 'Canada'. They do not mark it as trusted because country locations cannot be trusted. Then they create a Conditional Access policy that applies to all users and all cloud apps, with location condition set to 'All locations' and exclude the named location 'Allowed Countries'. The grant control is set to 'Block access'. This effectively blocks sign-ins from any IP that resolves to a country outside the US and Canada. However, they realize that users traveling abroad might be blocked. To handle this, they create a second policy that allows access from excluded locations but requires MFA and device compliance. They also add a break-glass admin account that is excluded from all policies. This scenario is common for compliance with data sovereignty laws.
Common Pitfalls
Inaccurate IP ranges: If the corporate IP ranges are not up-to-date, legitimate users may be blocked or not required to use MFA. Always maintain an accurate list.
VPN considerations: If users connect via VPN, their source IP is the VPN exit IP. If that IP is not in the corporate named location, they will be treated as untrusted. You may want to include VPN IP ranges as trusted or untrusted based on your security posture.
Guest users: Conditional Access policies apply to guest users by default if they are included in the user scope. Ensure that guest users are not inadvertently blocked from accessing resources they need.
Performance: Conditional Access evaluation adds a slight latency to authentication, typically under 100ms. However, if you have many policies, evaluation time can increase. Azure AD can handle up to 195 policies per tenant, but it's best to keep the number low for manageability.
What AZ-104 Tests
On the AZ-104 exam, you are expected to understand how to configure and manage Conditional Access policies, including the use of Named Locations. Specific objectives under domain 1.1 (Manage Azure AD identities) include:
Configure Azure AD Conditional Access policies
Implement and manage Conditional Access policies
Configure named locations
Configure device-based Conditional Access
Common Wrong Answers and Traps
Confusing 'All locations' with 'All trusted locations': A common trap is when a question asks to block access from untrusted locations. Candidates might select 'All locations' and then exclude trusted locations, but the correct approach is to select 'All untrusted locations' directly. The exam expects you to know the difference.
Assuming country locations can be trusted: Only IP range locations can be marked as trusted. If a question asks to mark a country as trusted, the answer is that it's not possible. Candidates often overlook this.
Forgetting that block policies override grant policies: If a user is subject to a policy that blocks access and another that grants access with MFA, the block wins. The exam might present a scenario with multiple policies and ask what happens.
Misunderstanding policy evaluation order: Policies are not evaluated in a specific order; all applicable policies are evaluated. If any policy blocks, access is blocked. Grant controls are aggregated with AND logic across policies. Candidates often think policies are evaluated in order of creation.
Specific Numbers and Values
Max named locations: 195 per tenant
Max IP ranges per named location: 1200
Max Conditional Access policies: 195 per tenant
Sign-in frequency range: 1 hour to 365 days
Persistent browser session: can be set to never or always
Report-only mode: allows testing without enforcement
Edge Cases and Exceptions
IPv6 support: Named locations support IPv6 CIDR ranges. The exam may test that you can include both IPv4 and IPv6.
Guest users: Conditional Access policies apply to guest users by default. You can exclude guests if needed.
Service accounts: Service principals (service accounts) cannot be targeted by Conditional Access policies because they do not sign in interactively. The exam might ask about this.
Emergency access accounts: Microsoft recommends excluding emergency access (break-glass) accounts from all Conditional Access policies to avoid lockout.
How to Eliminate Wrong Answers
If a question asks about blocking access from a specific country, remember that you can use a country named location but cannot mark it as trusted. The correct approach is to include all locations and exclude that country location, then set block.
If a question asks about requiring MFA from untrusted locations, look for the option that uses 'All untrusted locations' or includes all locations and excludes trusted ones.
If a question mentions 'device compliance' and 'location', remember that device compliance is a condition, not a grant control. Grant controls require the device to be compliant, not the location.
Always check if the question specifies 'report-only' mode. If it does, the policy does not enforce anything but logs what would have happened.
Named Locations can be IP ranges (IPv4/IPv6) or countries; only IP ranges can be marked as trusted.
Max 195 named locations per tenant, each with up to 1200 IP ranges.
Conditional Access policies are if-then statements: if conditions met, then enforce controls (block, grant, session).
Block policies override grant policies; if any policy blocks, access is denied.
Report-only mode allows testing without enforcement; use 'What If' tool to simulate.
Always exclude emergency access accounts from Conditional Access policies to avoid lockout.
Conditional Access does not apply to service principals; only to user sign-ins.
Location is evaluated at initial authentication; IP changes during session do not trigger re-evaluation.
These come up on the exam all the time. Here's how to tell them apart.
IP Range Named Locations
Can be marked as trusted or untrusted.
More precise – uses specific CIDR blocks.
Supports up to 1200 IP ranges per location.
Ideal for corporate networks with known IPs.
Evaluation is based on exact IP match.
Country Named Locations
Cannot be marked as trusted.
Less precise – based on IP geolocation, which can be inaccurate.
No limit on number of countries per location, but only one location per country selection.
Useful for blocking entire countries for compliance.
Evaluation is based on IP-to-country mapping by Microsoft.
Conditional Access: Block Access
Denies sign-in entirely.
No further authentication required.
Used for high-risk scenarios like untrusted countries.
Takes precedence over grant controls in other policies.
User receives an error message (53003).
Conditional Access: Grant Access with MFA
Allows sign-in after satisfying additional controls.
Requires user to complete MFA or other requirements.
Used for medium-risk scenarios like unknown locations.
Can be combined with other grant controls (AND/OR).
User sees MFA prompt or device compliance check.
Mistake
Named locations can be created for individual users.
Correct
Named locations are tenant-wide objects. They apply to all users in the tenant. You cannot create a named location for a specific user; instead, you use Conditional Access policies to target specific users or groups.
Mistake
Country-based named locations can be marked as trusted.
Correct
Only IP range locations can be marked as trusted. Country locations do not have a trusted flag. This is because IP ranges are more precise and can be controlled by the organization, while countries are broad and less reliable.
Mistake
Conditional Access policies are evaluated in order of priority.
Correct
There is no priority order. All policies that apply to the user and app are evaluated. If any policy blocks access, the result is block. Grant controls are combined with AND logic across policies. The order of creation does not matter.
Mistake
You can use Conditional Access to enforce MFA for service principals.
Correct
Conditional Access policies apply only to user sign-ins, not to service principals (applications). Service principals authenticate using client secrets or certificates, and Conditional Access cannot enforce MFA on them. For service principals, use conditional access for workload identities (preview) or other methods.
Mistake
If a user's IP is not in any named location, they are considered from an untrusted location.
Correct
If an IP is not in any named location, it is still part of 'Any location'. However, it is not automatically considered untrusted unless you define a policy that treats all locations except trusted ones as untrusted. 'All untrusted locations' includes only locations that are not marked as trusted, not IPs that are not in any named location. To treat all non-corporate IPs as untrusted, you must create a named location for your corporate IPs and mark them as trusted, then use 'All untrusted locations' in your policy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In Azure AD, go to Security > Conditional Access > Named locations. Click 'New location', choose 'IP ranges location', give it a name, add your corporate CIDR ranges (e.g., 203.0.113.0/24), and check 'Mark as trusted location'. Save. This location can then be used in Conditional Access policies to exclude corporate users from MFA requirements.
Yes. Create a Conditional Access policy that applies to all users (or specific groups), all cloud apps, with location condition set to 'All untrusted locations' (or exclude your trusted corporate location). Under grant controls, select 'Require multi-factor authentication'. This will enforce MFA for any sign-in from outside your trusted IP ranges.
'All locations' includes every IP address, even those not in any named location. 'All untrusted locations' includes only IP ranges that are not marked as trusted. If you have not created any trusted locations, 'All untrusted locations' is empty. To effectively treat all non-corporate IPs as untrusted, create a trusted named location for your corporate IPs, then use 'All untrusted locations' in your policy.
Set the policy state to 'Report-only'. Then use the 'What If' tool (under Conditional Access) to simulate a sign-in with a specific user, app, and location. You can also view Azure AD sign-in logs to see where the policy would have applied. Report-only mode does not enforce controls but logs the result.
Yes. Create a named location of type 'Countries' and select the country you want to block. Then create a Conditional Access policy that applies to all users and all cloud apps, with location condition set to 'All locations' and exclude that country location, and set grant control to 'Block access'. Alternatively, you can include only that country location and block, but the exclude method is more straightforward.
All policies that apply to the user and app are evaluated. If any policy blocks access, the result is block. If no policy blocks, the grant controls from all policies are combined with AND logic. For example, if one policy requires MFA and another requires device compliance, the user must satisfy both. There is no priority order.
Yes, by default. When you invite a guest user, they are subject to Conditional Access policies that apply to 'All users' or to the group that includes guests. You can exclude guest users from policies if needed. Note that MFA requirements for guests may require them to register for MFA in their home tenant.
You've just covered Named Locations and Conditional Access Policies — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?