This chapter covers Entra ID Named Locations and their integration with Conditional Access policies, a key topic for the AZ-500 exam (Domain 1: Manage Identity and Access, Objective 1.4: Configure and manage Azure AD identity protection and governance). Named Locations allow you to define trusted IP ranges or countries/regions to control authentication behavior based on geography. Approximately 10–15% of AZ-500 exam questions touch Conditional Access and Named Locations, often testing configuration details, evaluation logic, and common misconfigurations.
Jump to a section
Think of Entra ID Named Locations like a GPS-based geofence system for a corporate building. The building has a defined perimeter (named location) that can be based on physical coordinates (IP address ranges) or virtual boundaries (countries/regions). When an employee enters the building, their access badge (authentication request) includes location data from their GPS (client IP). The security system checks if the badge swipe occurred within the geofence. If yes, access is granted with normal privileges; if no, the system triggers an alert (Conditional Access policy requiring MFA or blocking access). The geofence can be defined as a trusted location (corporate headquarters) or a specific country (for compliance). Just like a geofence can have multiple zones (e.g., HQ, branch offices), Entra ID allows multiple named locations. The system also learns from repeated access patterns (like an AI-powered security guard) to mark locations as trusted automatically—this is the 'Mark as trusted location' setting. Misconfiguring the geofence (e.g., including a coffee shop's IP range) would allow unauthorized access, just like a hole in the fence.
What are Entra ID Named Locations and Why Do They Exist?
Entra ID Named Locations (formerly Azure AD Named Locations) are a foundational component of Conditional Access that allow administrators to define trusted or untrusted network locations based on IP address ranges or country/region. They exist to enable location-based access controls, such as requiring multi-factor authentication (MFA) when users sign in from outside the corporate network, or blocking sign-ins from high-risk countries. On the AZ-500 exam, you must understand how Named Locations are created, how they are evaluated during authentication, and how they interact with other Conditional Access conditions like sign-in risk and device state.
How Named Locations Work Internally
During authentication, Entra ID evaluates the client's public IP address (the IP address from which the authentication request originates). This IP is compared against the list of Named Locations defined in the tenant. The evaluation happens in the following order:
IP Address Resolution: The authentication request carries the client's public IPv4 or IPv6 address. Entra ID resolves this IP to a geographic location using Microsoft’s IP geolocation database (updated regularly).
Named Location Matching: The IP is checked against all Named Locations of type 'IP ranges' (CIDR blocks). If it falls within any defined range, it is considered a match. If no IP range matches, the system checks 'Countries' locations. If the IP’s country matches a country location, it is a match. If no match, the location is considered 'Unknown' or 'Not configured'.
Trusted vs. Untrusted: Each Named Location has a 'Mark as trusted location' checkbox. If the matching location is marked as trusted, the location condition in Conditional Access is evaluated as 'Trusted'. If not marked as trusted, or if the location is unknown, it is evaluated as 'Untrusted'.
Conditional Access Policy Evaluation: The Conditional Access policy uses the location condition to apply controls. For example, a policy might say 'If location is not trusted, require MFA'.
Key Components, Values, Defaults, and Timers
- Named Location Types: - IP Ranges: Define a list of IPv4 or IPv6 CIDR blocks (e.g., 192.168.1.0/24). You can specify up to 2,000 IP ranges per location. - Countries: Select one or more countries from a predefined list (ISO 3166 alpha-2 codes). The geolocation is based on the client IP. - Trusted Location: A checkbox that marks the location as trusted. Trusted locations are often corporate networks. By default, new locations are NOT marked as trusted. - Maximum Number of Named Locations: Up to 195 named locations per tenant. - IP Ranges per Location: Up to 2,000 CIDR ranges. - Evaluation Frequency: IP-to-location mapping is evaluated at every authentication request. The geolocation database is updated periodically (no exact interval published, but typically within days of new IP allocations). - IPv6 Support: Yes, both IPv4 and IPv6 are supported for IP ranges. - MFA Trusted IPs vs. Named Locations: MFA Trusted IPs (legacy) are separate from Named Locations. Named Locations are preferred for Conditional Access. MFA Trusted IPs bypass MFA prompts but are only used for MFA service settings. On the exam, know that Named Locations are more flexible and integrated with Conditional Access.
Configuration and Verification
To create a Named Location via the Azure portal: 1. Navigate to Entra ID > Security > Conditional Access > Named locations. 2. Click + New location. 3. Choose IP ranges location or Countries location. 4. Provide a name, IP ranges (CIDR), and optionally check 'Mark as trusted location'. 5. Click Create.
To verify via PowerShell:
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessNamedLocationTo verify via Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocationsInteraction with Related Technologies
Conditional Access: Named Locations are used as a condition in policies. The location condition can be set to 'Any location', 'All trusted locations', or 'Selected locations'.
Identity Protection: Sign-in risk policies can be combined with location. For example, a risky sign-in from an untrusted location could trigger a password change.
MFA: Named Locations can be used to require MFA only from untrusted locations.
Continuous Access Evaluation (CAE): CAE works with Named Locations; if a user’s IP changes to a blocked or untrusted location, access can be revoked in near real-time.
Common Exam Traps
Misunderstanding 'Mark as trusted location': Candidates often think that marking a location as trusted automatically bypasses MFA. In reality, it only sets the location condition to 'Trusted'; the Conditional Access policy must explicitly allow bypass based on trusted location.
Assuming Named Locations override MFA Trusted IPs: They are separate. MFA Trusted IPs are a legacy feature; Named Locations do not affect MFA Trusted IPs.
Thinking Named Locations can be used for outbound traffic filtering: Named Locations are for authentication only, not for network traffic filtering.
Confusing 'Countries' type with 'IP ranges': Countries use geolocation based on IP, which can be inaccurate for some IPs (e.g., VPNs). IP ranges are more precise but require maintenance.
Step-by-Step Evaluation Example
Consider a user signing in from IP 203.0.113.5 (a public IP not in any named location) with a Conditional Access policy that requires MFA for all locations except 'Corporate HQ' (trusted). The evaluation: 1. IP 203.0.113.5 is not in any IP range location. 2. Geolocation resolves to Australia (if not in a country location, it's unknown). 3. No matching named location -> location is 'Not configured' -> treated as untrusted. 4. Policy triggers: require MFA.
If the user later connects via VPN to a corporate IP 10.0.0.5 (public IP of the VPN gateway is in Corporate HQ range), the IP matches Corporate HQ, which is trusted. The policy then skips MFA.
Define Named Location in Entra ID
Navigate to Entra ID > Security > Conditional Access > Named locations. Click '+ New location'. Choose either 'IP ranges location' or 'Countries location'. For IP ranges, enter a name and a list of CIDR blocks (e.g., 203.0.113.0/24). Optionally check 'Mark as trusted location' if this represents a corporate network. For Countries, select one or more countries from the list. Click 'Create'. The location is now available for use in Conditional Access policies.
Create Conditional Access Policy
Go to Entra ID > Security > Conditional Access > Policies. Click '+ New policy'. Assign a name (e.g., 'Require MFA for non-corporate locations'). Under 'Assignments', select 'Users and groups' to target specific users (e.g., all users). Under 'Cloud apps or actions', select 'All cloud apps'. Under 'Conditions', click 'Locations'. Configure: 'Configure' = Yes. 'Include' = 'Any location'. 'Exclude' = 'All trusted locations'. This means the policy applies to all locations except those marked as trusted.
Define Access Controls
Under 'Access controls', select 'Grant'. Choose 'Grant access'. Check 'Require multi-factor authentication'. Ensure 'Require all selected controls' is selected. Optionally, you can add 'Require device to be marked as compliant' for stronger security. Click 'Select'. Under 'Session', you can configure sign-in frequency or persistent browser session if needed. These controls will be enforced when the policy triggers.
Enable Policy and Test
Set 'Enable policy' to 'Report-only' initially (for testing). Click 'Create'. Use the 'What If' tool under Conditional Access to simulate a sign-in from a specific IP. Enter user details, cloud app, and IP address (e.g., 198.51.100.1). The tool will show which policies apply and what controls are enforced. Verify that the policy applies correctly based on the location. After validation, set the policy to 'On' and monitor sign-in logs for any issues.
Monitor and Troubleshoot
Use Entra ID sign-in logs to see if the policy is being applied. Filter by 'Conditional Access' status = 'Failure' or 'Success'. For failures due to location, check the 'Location' field in the sign-in log. It shows the IP, country, and whether it matched a named location. Common issues: IP not in any named location (shown as 'Unknown'), or the location is not marked as trusted. Adjust Named Locations accordingly. Use the 'What If' tool to test changes before enforcing.
Scenario 1: Corporate Network Access Control
A multinational company with offices in New York, London, and Tokyo wants to require MFA for all sign-ins except from corporate offices. They create three Named Locations of type 'IP ranges' for each office's public IP ranges (e.g., 203.0.113.0/24 for New York, 198.51.100.0/24 for London, 192.0.2.0/24 for Tokyo). Each is marked as 'trusted location'. A Conditional Access policy is created for all users targeting all cloud apps, excluding 'All trusted locations', and requiring MFA. In production, this works well but requires maintaining IP ranges when ISPs change. A common issue is when employees use VPNs that exit through a non-corporate IP, triggering MFA unnecessarily. The solution is to add the VPN exit IP ranges to the trusted locations. Scale: The company has 50,000 users; the policy is evaluated for every sign-in (~500,000 per day). Performance is not impacted because evaluation is lightweight.
Scenario 2: Geo-Restriction for Compliance
A financial services firm must block sign-ins from sanctioned countries (e.g., Iran, North Korea, Syria). They create a Named Location of type 'Countries' and select these countries. A Conditional Access policy is set to 'Block access' for 'Selected locations' (the sanctioned countries). This policy is applied to all users. However, a challenge arises when users travel to these countries for business; they need to be exempted. The solution is to create a separate Named Location for 'Allowed countries' and use a policy that blocks only if the location is in the blocked list and the user is not in an exclusion group. Misconfiguration: If the blocked countries list is not updated when sanctions change, access may be allowed inadvertently. Also, geolocation inaccuracies (e.g., IPs assigned to a different country) can cause false blocks. Monitoring sign-in logs for 'Blocked' events is essential.
Scenario 3: Mergers and Acquisitions
After an acquisition, the acquiring company needs to integrate the acquired company's network. They add the acquired company's IP ranges to existing Named Locations. However, if the acquired company's IP ranges overlap with untrusted ranges (e.g., public Wi-Fi), trusted location status may be incorrectly applied. The administrator must carefully review and possibly split locations. A best practice is to use separate Named Locations for each subsidiary and assign Conditional Access policies accordingly. Performance: With 100+ locations and 10,000+ IP ranges, the evaluation is still fast, but management complexity increases. Automation via PowerShell or Graph API is recommended.
AZ-500 Exam Focus on Named Locations and Conditional Access (Objective 1.4)
The AZ-500 exam tests your ability to configure and troubleshoot Named Locations within Conditional Access policies. Key areas:
1. Named Location Types: You must know the difference between 'IP ranges' and 'Countries'. The exam will ask which type to use for a scenario (e.g., corporate network vs. geo-restriction). 2. Trusted Location Mark: The checkbox 'Mark as trusted location' is a frequent point of confusion. The exam tests that this flag is used by Conditional Access to determine if a location is trusted or not. A common wrong answer is that marking a location as trusted automatically bypasses MFA; in reality, the policy must explicitly exclude trusted locations. 3. Maximums: Know the limits: up to 195 named locations, up to 2,000 IP ranges per location. These numbers appear in exam questions. 4. Evaluation Order: The exam may ask what happens when an IP matches multiple locations. Answer: The first match (order is not guaranteed; all matching locations are considered, but if any is trusted, the location is considered trusted? Actually, if any matching location is marked as trusted, the location condition evaluates as trusted. If none are trusted, it is untrusted. If no match, it is 'Not configured' which is treated as untrusted. 5. Common Wrong Answers: - Wrong: 'Named Locations can be used to filter network traffic.' They are only for authentication. - Wrong: 'MFA Trusted IPs and Named Locations are the same.' They are separate; MFA Trusted IPs are legacy. - Wrong: 'Countries location uses the user's home country from their profile.' It uses the IP geolocation. - Wrong: 'You can use Named Locations to block sign-ins from specific IPs.' You can only block via Conditional Access policies using locations; Named Locations themselves do not enforce. 6. Edge Cases: - IPv6: Supported. Exam may present a scenario with IPv6 ranges. - Multiple locations for same IP: If an IP falls within two IP range locations, both are considered. If one is trusted, the location is trusted. - No location configured: Treated as untrusted. - Guest users: Named Locations apply to guest users as well, depending on policy scope. 7. How to Eliminate Wrong Answers: Focus on the mechanism: Named Locations are just labels for IP ranges or countries. They do not enforce anything themselves; they are used as conditions in policies. If an answer suggests that Named Locations directly block or allow access, it is wrong. Also, remember that 'trusted' is a boolean flag; it does not imply bypass of any control without a policy.
Named Locations are conditions used in Conditional Access policies; they do not enforce access controls themselves.
Maximum 195 Named Locations per tenant, each with up to 2,000 IP ranges.
The 'Mark as trusted location' flag only affects how the location condition evaluates; a policy must explicitly exclude trusted locations to bypass controls.
Countries location uses IP geolocation, not the user's profile country.
IPv6 is supported for IP ranges.
If a client IP matches multiple Named Locations, the location is considered trusted if any matching location is marked as trusted.
If no Named Location matches, the location is 'Not configured' and treated as untrusted.
MFA Trusted IPs (legacy) are separate from Named Locations; they do not integrate with Conditional Access.
Use 'What If' tool to test Named Location matching before enforcing policies.
Named Locations apply to all authentication requests, including guest users, unless scoped by policy.
These come up on the exam all the time. Here's how to tell them apart.
Named Locations (IP Ranges)
Defined by specific CIDR blocks (e.g., 203.0.113.0/24).
More precise – no geolocation errors.
Requires maintenance when IPs change.
Supports up to 2,000 ranges per location.
Best for corporate networks with known public IPs.
Named Locations (Countries)
Defined by selecting countries from a list.
Less precise – IP geolocation may be inaccurate.
No maintenance needed for IP changes.
No range limit (only country selection).
Best for geo-restriction scenarios (e.g., block sanctioned countries).
Mistake
Named Locations automatically block sign-ins from untrusted locations.
Correct
Named Locations do not enforce any action. They are merely conditions. A Conditional Access policy must be created to block or require MFA based on the location. Without a policy, Named Locations have no effect.
Mistake
Marking a Named Location as 'trusted' bypasses MFA for all users.
Correct
The 'Mark as trusted location' flag only marks the location as trusted in the location condition. A Conditional Access policy must explicitly exclude trusted locations from requiring MFA. If no policy excludes trusted locations, MFA may still be required.
Mistake
Named Locations of type 'Countries' use the user's country from their profile.
Correct
Countries location is based on the geolocation of the client's IP address, not the user's home country or profile attribute. This can lead to inaccuracies if the IP geolocation data is outdated.
Mistake
You can have up to 2,000 Named Locations per tenant.
Correct
The limit is 195 Named Locations per tenant. Each location can contain up to 2,000 IP ranges. This is a common exam trap.
Mistake
Named Locations support only IPv4 addresses.
Correct
Named Locations support both IPv4 and IPv6 CIDR blocks. The exam may include a scenario with IPv6.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Named Locations are part of Conditional Access and can be used in policies to control access based on IP ranges or countries. MFA Trusted IPs are a legacy feature in the MFA service settings that bypass MFA for users signing in from those IPs. Named Locations are more flexible and integrated with Conditional Access, while MFA Trusted IPs only affect MFA prompts and not other controls. On the exam, know that Named Locations are preferred for modern scenarios.
Yes, indirectly. Create a Named Location with the IP range (e.g., 198.51.100.1/32). Then create a Conditional Access policy that blocks access when the location is that specific Named Location. However, Named Locations themselves do not block; the policy does. This is a common exam point.
If the IP falls within the IP ranges of multiple Named Locations, all matching locations are considered. If any of those locations is marked as trusted, the overall location condition evaluates as trusted. If none are trusted, it is untrusted. The order of creation does not matter.
Microsoft updates the geolocation database regularly, but the exact frequency is not published. Typically, updates occur within a few days to a week after new IP allocations. This means there can be temporary inaccuracies, especially for recently assigned IPs.
Named Locations are evaluated during authentication with Entra ID. For on-premises applications using Azure AD Application Proxy, the client IP is the IP of the Application Proxy connector, not the user's client IP. Therefore, Named Locations may not work as expected for such scenarios unless you configure the 'X-Forwarded-For' header appropriately.
The limit is 195 Named Locations per tenant. Each location can contain up to 2,000 IP ranges. This is a hard limit and a common exam number.
Yes. The 'What If' tool in Conditional Access allows you to simulate a sign-in with a specific IP address. It will show which Named Locations match and how the policy evaluates based on that location. This is a critical troubleshooting tool.
You've just covered Entra ID Named Locations and Conditional Access — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?