This chapter covers Named Locations and Network-Based Policies in Microsoft Entra ID (formerly Azure Active Directory), a critical component for controlling access based on geographic or network origin. On the MS-102 exam, this topic appears in approximately 5-8% of questions, often integrated with Conditional Access scenarios. Understanding how to define, configure, and troubleshoot named locations is essential for enforcing location-based Conditional Access policies, detecting risky sign-ins, and meeting compliance requirements.
Jump to a section
Named locations in Microsoft Entra ID work like a VIP club's guest list system. The club has multiple entrances (IP address ranges) where guests can arrive. The bouncer (Conditional Access) checks each guest's ID against a master list of approved locations. For example, the club might have a list for 'Corporate HQ' (main office IP range 10.1.0.0/16), a list for 'Branch Offices' (several remote office ranges), and a list for 'Trusted Partners' (specific VPN exit IPs). When a guest arrives from the Corporate HQ entrance, the bouncer knows they're from a trusted location and can allow entry with fewer checks (like just a badge scan instead of full ID verification). If a guest arrives from an unknown entrance, the bouncer enforces stricter rules (like requiring a secondary ID or calling the host). The system also marks known 'bad' entrances (like a back alley known for troublemakers) as untrusted locations, so anyone arriving there is automatically denied or challenged. Importantly, the guest list can include IPv4 and IPv6 ranges, and the bouncer uses exact matching — a guest from 10.1.0.10 is from HQ if the list says 10.1.0.0/16, but a guest from 10.2.0.10 is not. The bouncer also supports 'trusted' and 'untrusted' flags, and can mark certain entrances as 'compliant network' if they meet security standards (like being managed by MDM). This allows the club to grant different access levels based on where the guest is arriving from, without needing to know each guest individually.
What Are Named Locations and Why Do They Exist?
Named locations are administrative constructs in Microsoft Entra ID that allow you to label IP address ranges or countries/regions with a meaningful name. They serve as conditions in Conditional Access policies and as signals for Identity Protection risk detection. The primary use cases are:
Conditional Access: Grant or block access based on network location. For example, allow access only from corporate office IP ranges.
Identity Protection: Detect sign-ins from atypical or untrusted locations and trigger additional risk events.
Compliance: Demonstrate that access originates from approved network segments.
Named locations solve the problem of managing IP addresses in a human-readable way. Without them, administrators would have to enter raw IP ranges repeatedly in every policy. They also support IPv4 and IPv6, and can be marked as trusted or untrusted, which influences risk calculations.
How Named Locations Work Internally
When a user attempts to access a resource, the Microsoft Entra authentication pipeline evaluates the request. The source IP address of the client is extracted from the incoming HTTP request headers (specifically the X-Forwarded-For header if behind a proxy, or the direct client IP). This IP is compared against the defined named locations:
The system iterates through all named locations of type 'IP ranges'.
For each location, it checks if the client IP falls within any of its defined CIDR ranges.
Matching is done using bitwise AND with the subnet mask. For IPv4, this is a standard subnet check; for IPv6, similar logic applies.
If a match is found, the location name is associated with the authentication request.
If multiple locations match (possible if ranges overlap), the first match (based on creation order?) is used. Microsoft documentation advises against overlapping ranges, but if they occur, behavior is deterministic but not guaranteed.
If no IP range location matches, the system checks country/region locations. The client IP is geolocated using Microsoft's IP geolocation database (updated regularly).
If a country/region location matches, that is used.
If no location matches, the sign-in is considered from an 'unknown' location, which can be treated as untrusted.
This evaluation happens for every authentication request, including interactive sign-ins, non-interactive token refreshes, and device-based auth. The result is passed to Conditional Access policies as the 'Location' condition.
Key Components, Values, Defaults, and Timers
- Types of Named Locations: - IP ranges location: Defined by one or more CIDR notation ranges (e.g., 192.168.1.0/24, 2001:db8::/32). You can mark it as 'Trusted location' (checkbox) which sets the location as trusted for risk calculations. - Countries/Regions location: Select from a list of countries/regions. You can optionally include 'Unknown' areas (IP addresses that cannot be geolocated). You can also exclude specific IP ranges from the country definition (e.g., exclude your corporate VPN from the 'United States' country location to avoid false positives). - Maximum number of named locations: 195 per tenant (as of 2025). Each IP range location can contain up to 2000 IP ranges (CIDR blocks). - Default values: No default named locations exist. You must create them. However, Microsoft provides predefined countries/regions for selection. - Timers: Changes to named locations are cached and may take up to 5 minutes to propagate to all authentication endpoints. For Identity Protection risk events, location data is evaluated in near real-time. - IP Geolocation: Microsoft uses a combination of public and proprietary data. It is not perfectly accurate, especially for mobile carriers and VPNs. Administrators can override geolocation by creating IP range locations that map to a specific country.
Configuration and Verification
To create a named location via the Entra admin center: 1. Navigate to Identity > Security > Conditional Access > Named locations. 2. Click 'New location'. 3. Choose 'IP ranges location' or 'Countries/Regions location'. 4. Provide a name (e.g., 'CorpNet'). 5. For IP ranges: enter CIDR blocks, one per line. Optionally mark as trusted. 6. For countries: select from the list. Optionally include unknown areas. 7. Save.
To verify which named location a sign-in came from, you can use the Sign-in logs: 1. Go to Identity > Monitoring & health > Sign-in logs. 2. Select a sign-in event. 3. Under the 'Conditional Access' tab or 'Location' tab, you'll see the named location (e.g., 'CorpNet') or 'Unknown'.
Using PowerShell (Microsoft Graph PowerShell SDK):
# Connect to Graph
Connect-MgGraph -Scopes "Policy.Read.All"
# List named locations
Get-MgIdentityConditionalAccessNamedLocation | Select-Object Id, DisplayName, @{N='Type';E={$_.AdditionalProperties['@odata.type']}}
# Get details of a specific location
Get-MgIdentityConditionalAccessNamedLocation -NamedLocationId "<id>" | ConvertTo-Json -Depth 10Interaction with Related Technologies
Named locations interact with: - Conditional Access: The 'Locations' condition can be set to 'Any location', 'All trusted locations', or 'Selected locations'. You can also exclude specific locations. - Identity Protection: Trusted locations lower the sign-in risk level. Sign-ins from untrusted or unknown locations can contribute to risk events like 'Anonymous IP address' or 'Atypical travel'. - Microsoft Defender for Cloud Apps (MDCA): MDCA can also define IP ranges and geolocations, but these are separate from Entra ID named locations. Policies in MDCA use their own context. - Hybrid Identity: For federated domains, the source IP seen by Entra ID might be the ADFS proxy's IP, not the client's. This can cause incorrect location matching unless you configure the correct IP addresses. - Network policies: Named locations are purely logical; they do not enforce network segmentation. They only inform access decisions.
Common Pitfalls
Overlapping ranges: If two named locations have overlapping IP ranges, a sign-in might match both. This can cause unpredictable policy behavior. Avoid overlaps.
Trusted location misuse: Marking a location as trusted does not automatically grant access; it only affects risk. You still need Conditional Access policies to allow access.
IPv6 not configured: Many organizations only define IPv4 ranges. If clients use IPv6, they may not match and appear as unknown. Always include IPv6 ranges if your network uses them.
VPN and proxy issues: If users connect via VPN, the source IP is the VPN exit IP. If that IP is not in your named location, access may be blocked. Ensure VPN IP ranges are included.
Advanced: Using Named Locations with Conditional Access Policies
Example policy: Block access from all countries except the United States, but allow access from corporate VPN even if it appears to be from another country.
Create an IP range location named 'CorpVPN' with the VPN exit IP ranges. Mark as trusted.
Create a countries location named 'AllowedCountries' with 'United States' selected.
In Conditional Access policy:
Assignments > Locations: Include 'Any location', exclude 'All trusted locations' and 'AllowedCountries'.
Access controls: Block.
This blocks all sign-ins except those from the US or from the corporate VPN.
Troubleshooting
Use 'What If' tool in Conditional Access to simulate sign-ins and see which named location matches.
Check sign-in logs for 'Location' details. If the location shows 'Unknown', the IP was not matched.
Verify that IP ranges are in correct CIDR format. A common mistake is using a subnet mask like 255.255.255.0 instead of /24.
For geolocation inaccuracies, create IP range locations to override.
Summary of Key Numbers
Maximum named locations: 195
Maximum IP ranges per location: 2000
Propagation delay: up to 5 minutes
Supported IP versions: IPv4 and IPv6
CIDR notation required for IP ranges
Define Business Requirements for Locations
Before creating named locations, identify which network segments and countries should be trusted, blocked, or require additional controls. Common examples: corporate office IP ranges, branch office VPN subnets, partner extranet ranges, and countries where the company does business. Also consider unknown locations (e.g., public Wi-Fi). Document the CIDR ranges for each segment. For IPv6, ensure your network team provides the correct prefixes. This step is often skipped, leading to incomplete location definitions and unintended policy blocks.
Create Named Locations in Entra ID
In the Microsoft Entra admin center, navigate to Conditional Access > Named locations. Create a new location of type 'IP ranges location' for each network segment (e.g., 'CorpNet', 'BranchVPN'). Enter the CIDR ranges (one per line) and optionally mark as 'Trusted location' if the network is secure and managed. For country-based policies, create a 'Countries/Regions location' and select the required countries. Exclude specific IP ranges if needed (e.g., exclude your VPN IPs from a country location to avoid double-matching). Save each location.
Validate Location Matching with Sign-in Logs
After creating named locations, test by having a user sign in from a known IP. Go to Entra ID > Monitoring > Sign-in logs, select the sign-in, and check the 'Location' tab. It should display the named location name (e.g., 'CorpNet'). If it shows 'Unknown', the IP range is not correctly defined or the CIDR notation is wrong. Use the 'What If' tool in Conditional Access to simulate different IPs and see which location matches. This step catches errors early.
Configure Conditional Access Policies Using Locations
Create a Conditional Access policy that uses the named location as a condition. For example, a policy to require MFA when accessing cloud apps from outside the corporate network. In the policy, under 'Conditions > Locations', select 'Any location' or 'Selected locations'. You can also exclude trusted locations to avoid prompting MFA for users in the office. Ensure the policy is in 'Report-only' mode initially to test impact. Monitor sign-in logs for policy application.
Monitor and Adjust Named Locations
Regularly review sign-in logs for location mismatches. If users report being blocked unexpectedly, check if their IP is in the correct named location. Update IP ranges as network changes occur (e.g., new branch office). Also monitor for new countries that may need to be added or blocked. Use Identity Protection reports to see sign-ins from atypical locations. Adjust named locations accordingly. Remember that changes may take up to 5 minutes to propagate.
Scenario 1: Global Enterprise with Regional Offices
A multinational company has offices in North America, Europe, and Asia. They want to allow access to internal apps only from office IPs and from a corporate VPN. They create named locations for each region (e.g., 'NA-Offices', 'EU-Offices', 'APAC-Offices') and a 'CorpVPN' location. In Conditional Access, they block access from all other locations. However, they discover that traveling employees using hotel Wi-Fi are blocked. They modify the policy to require MFA for non-office locations instead of blocking, but still block from high-risk countries. They also mark the office locations as trusted to reduce risk scoring. Challenges: IP geolocation for VPNs may show the VPN exit country, not the user's actual location. They overcome this by creating IP range locations for VPN ranges and marking them as trusted. Performance: With hundreds of IP ranges, the authentication pipeline remains fast as matching is done via efficient subnet lookup.
Scenario 2: Healthcare Organization with Strict Compliance
A hospital must ensure that access to patient records only comes from within the hospital network (on-premises) or from a managed device connected via VPN. They create a named location 'Hospital-Network' with all internal subnets (IPv4 and IPv6) and a 'Managed-VPN' location for VPN IPs. They also create a countries location that includes only the home country. Conditional Access policies require that any access from outside these locations is blocked. They also integrate with Microsoft Defender for Cloud Apps to monitor for impossible travel. A common issue: doctors working from home using personal devices may connect via VPN but the device is not managed. They solve this by requiring device compliance in addition to location. The named locations are updated quarterly as network changes occur. They use PowerShell scripts to export and audit the locations.
Scenario 3: SaaS Company with Remote-First Culture
A tech startup has no physical offices; all employees work remotely. They use a corporate VPN for internal resources. They create a named location 'VPN-Exit' with the VPN's public IP ranges. They mark it as trusted. They also create countries locations for countries where they have employees (e.g., US, Canada, UK). They use Conditional Access to require MFA for all access, but exclude the VPN location from MFA to reduce friction. However, they notice that some employees connect from coffee shops without VPN and are prompted for MFA, which is acceptable. They also use Identity Protection to detect sign-ins from anonymous IPs. They learn that if an employee's home IP changes (ISP dynamic IP), they might not match the VPN location if they are not connected to VPN. They educate employees to always use VPN. They also set up a named location for 'Unknown' as untrusted. This simple setup works well for their small scale (<500 users).
MS-102 Exam Focus on Named Locations
The MS-102 exam (Microsoft 365 Administrator) tests your ability to configure and manage identity and access, including Conditional Access and named locations. Objective 2.3 specifically covers 'Implement and manage identity security and governance'. Within this, you need to understand:
How to create and manage named locations (IP ranges and countries/regions)
How named locations are used as conditions in Conditional Access policies
The difference between trusted and untrusted locations and their impact on risk
How to troubleshoot location-based policies
Common Wrong Answers and Why Candidates Choose Them
'Named locations can be used to block IP addresses directly.' This is false. Named locations are labels; they do not block by themselves. You must create a Conditional Access policy that uses the location condition to block. Candidates often think marking a location as 'untrusted' blocks access, but it only affects risk.
'You can create a named location by entering a single IP address without CIDR.' Wrong. IP range locations require CIDR notation. A single IP must be entered as e.g., 192.168.1.1/32. Candidates forget the /32.
'Named locations are evaluated in real-time and changes take effect immediately.' False. There is up to a 5-minute propagation delay. Candidates assume instant updates.
'You can use named locations in Azure AD (Entra ID) to enforce network segmentation.' False. Named locations are only for conditional access decisions, not for routing or firewall rules.
Specific Numbers and Terms on the Exam
Maximum 195 named locations per tenant.
Maximum 2000 IP ranges per location.
CIDR notation is required.
Supported types: IP ranges and countries/regions.
'Trusted location' checkbox reduces risk.
Changes take up to 5 minutes to propagate.
The 'What If' tool is used for simulation.
Edge Cases and Exceptions
Overlapping ranges: If a sign-in matches multiple named locations, behavior is not guaranteed. Avoid overlaps.
IPv6: If you only define IPv4 ranges, IPv6 clients will not match and will be treated as unknown.
Proxy servers: If users connect through a proxy, the source IP is the proxy's IP. Ensure proxy IPs are included in named locations.
Federated identity: For federated domains, the IP seen by Entra ID might be the federation server's IP. You may need to use the 'X-Forwarded-For' header or configure the federation server to pass the client IP.
How to Eliminate Wrong Answers
Understand the mechanism: Named locations are just labels. They do not enforce anything. A Conditional Access policy must be configured to use them. If a question asks about blocking, the answer must include a Conditional Access policy. Also, remember that trusted locations affect risk, not access directly. Look for keywords like 'risk' vs 'block'.
Named locations are labels for IP ranges or countries/regions used in Conditional Access and Identity Protection.
Maximum of 195 named locations per tenant; each IP range location can have up to 2000 CIDR ranges.
CIDR notation is mandatory for IP range locations (e.g., 10.0.0.0/8, 192.168.1.1/32).
Changes to named locations take up to 5 minutes to propagate to all authentication services.
Trusted locations reduce sign-in risk but do not grant access by themselves; you need Conditional Access policies.
Overlapping IP ranges between named locations can cause unpredictable behavior; avoid overlaps.
Named locations apply to both IPv4 and IPv6; ensure both are defined if your network uses IPv6.
Use the 'What If' tool in Conditional Access to simulate which location a sign-in would match.
Named locations are evaluated per authentication request; the source IP is extracted from HTTP headers.
Country locations rely on IP geolocation; create IP range locations to override geolocation for specific IPs.
These come up on the exam all the time. Here's how to tell them apart.
IP Ranges Location
Defined by one or more CIDR IP ranges (IPv4 and IPv6).
Can be marked as 'Trusted location' for risk calculation.
Maximum of 2000 IP ranges per location.
Useful for corporate networks, VPNs, and known partner IPs.
Provides precise matching based on subnet.
Countries/Regions Location
Defined by selecting countries/regions from a list.
Cannot be marked as 'Trusted location' directly; trust is not applicable.
No limit on number of countries per location (but limited to 195 locations total).
Useful for geopolitical restrictions (e.g., block all countries except US).
Matching is based on IP geolocation, which can be inaccurate for VPNs and mobile carriers.
Mistake
Named locations can be used to enforce network security (like a firewall).
Correct
Named locations are purely logical constructs in Entra ID for Conditional Access and Identity Protection. They do not filter traffic or enforce network-level security. They only influence access decisions during authentication.
Mistake
Marking a location as 'Trusted' automatically allows access from that location.
Correct
The 'Trusted location' checkbox only affects risk calculations in Identity Protection. It does not grant or deny access. To allow access, you must create a Conditional Access policy that includes the location as a condition.
Mistake
You can enter IP addresses without CIDR notation in a named location.
Correct
IP range locations require CIDR notation. For a single IP, you must use /32 (e.g., 192.168.1.1/32). Entering just '192.168.1.1' is invalid.
Mistake
Changes to named locations take effect immediately.
Correct
Changes are cached and may take up to 5 minutes to propagate to all authentication endpoints. This is important for troubleshooting.
Mistake
Named locations can be used to block access from specific IP addresses without a Conditional Access policy.
Correct
Named locations themselves do not block anything. You must combine them with a Conditional Access policy that has an 'Access control' set to 'Block'.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must use CIDR notation. For a single IP, add it as e.g., 192.168.1.1/32. Entering just the IP without /32 is invalid. The UI expects one CIDR range per line.
Yes, by creating a countries/regions location and then using it in a Conditional Access policy with a block action. However, note that IP geolocation is not 100% accurate; you may need to override with IP range locations for known IPs.
The 'Trusted location' checkbox only affects the risk level in Identity Protection. Sign-ins from trusted locations are considered lower risk. It does not automatically allow or block access. Untrusted locations are not a separate type; locations not marked as trusted are simply not trusted.
Common reasons: (1) IP range is not in correct CIDR format; (2) the sign-in IP is behind a proxy or VPN that changes the source IP; (3) IPv6 is used but only IPv4 ranges are defined; (4) the location change hasn't propagated yet (up to 5 minutes). Check sign-in logs for the actual source IP and verify against your ranges.
Technically yes, but it is not recommended. If a sign-in matches multiple locations, behavior is not guaranteed. The system may pick the first match arbitrarily. Avoid overlaps by ensuring each IP range belongs to only one named location.
The maximum is 195 named locations per tenant. This includes both IP range and countries/regions types. Each IP range location can contain up to 2000 CIDR ranges.
Yes, named locations support both IPv4 and IPv6. You must enter IPv6 ranges in CIDR notation (e.g., 2001:db8::/32). If your network uses IPv6, ensure you define corresponding named locations to avoid unknown location matches.
You've just covered Named Locations and Network-Based Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?