Conditional access policies are a staple of modern IT security. They allow IT administrators to automate decisions and enforce access controls based on real-time conditions such as user behavior, sign-in risk, device compliance, and geographic location. This guide specifically discusses how you can use Microsoft Entra ID (formerly known as Azure AD) to enforce conditional access based on risk and location.
Enforcing CA policies based on risk and location
This section walks through four methods that let users directly create and enforce location-based and risk-based conditional access.
📌 Prerequisites: The following are required for the methods below to work:
- Microsoft Entra ID P1 (for basic CA) or P2 (for risk-based conditions)
- Global Administrator or Security Administrator privileges
- Azure AD joined or hybrid-joined devices
- Location-aware IP tagging is configured in Entra ID
💡 Tip: While optional, having Microsoft Defender for identity integration is especially helpful for enhanced signals.
📌 Recommended deployment strategies:
| Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Configuring CA using Microsoft Entra Admin Center | ✓ | |
| Method 2: Defining named locations in Microsoft Entra Admin Center | ✓ | |
| Method 3: Creating risk-based policies in Microsoft Entra Admin Center | ✓ | |
| Method 4: PowerShell | ✓ |
Method 1: Configuring conditional access policies using Microsoft Entra Admin Center
Configuring conditional access with Microsoft Entra Admin Center is straightforward and uses a GUI. This method isn’t restricted to risk-based and location-based conditional access.
📌 Use Cases: Standard policy management and testing
📌 Prerequisites: This method requires Microsoft Entra ID P1.
To create a conditional access policy:
- Go to Microsoft Entra Admin Center.
- Navigate to Protection > Conditional Access > Policies.
- Click + New Policy.
- Define the following:
- Assignments:
- Users or groups
- Cloud apps or actions
- Conditions > Locations: Include or exclude named locations (e.g., countries or IP ranges)
- Conditions > Sign-in risk or User risk: Set level to Low, Medium, or High
- Access Controls:
- Block access
- Require MFA
- Require a compliant device
- Assignments:
⚠️ Important: When defining assignments, especially Locations and Sign-in or User Risk, ensure that you’re configuring correctly. Otherwise, your conditional access policy may not work as expected. Read the Things to look out for section for more details.
- Enable and create the policy.
Method 2: Defining named locations in Microsoft Entra Admin Center
With this method, IT administrators can allow or block access based on geolocation or IP-based data.
📌 Use Cases: Geofencing access and supporting compliance with data residency requirements
To define locations, follow these steps:
- In Conditional Access > Named locations.
- Click + IP ranges location.
- Name the location (e.g., “Corporate HQ”).
- Add trusted IP ranges. Alternatively, create a country-based location policy.
- Use these in the Locations condition in policies.
💡 Tip: To exempt IP-based locations from risk evaluations, mark them as “Trusted”. Additionally, be careful when naming a location, adding a trusted IP range, or creating a country-based location policy, as incorrect configurations will affect conditional access. Refer to the Things to look out for section for more details.
Method 3: Creating risk-based conditional access policies in Microsoft Entra Admin Center
Risk-based conditional access helps protect identities under attack or compromised credentials. It can also be combined with broader conditional access policies, such as location, to grant an environment with stronger protection against common cyberattacks.
📌 Use Case: Enforce policies based on user or sign-in risk
📌 Prerequisites: This method requires Microsoft Entra ID P2 to allow risk-based configurations.
To use this method:
- Go to Protection > Identity Protection > User risk policy.
- Configure the following:
- Users
- Risk level: Medium and above (💡 Tip: Applying an aggressive risk level threshold may be detrimental to your operations. Review the Things to look out for section for more details.
- Controls: Block access or Require password reset
- Repeat for Sign-in risk policy.
- Link with the Conditional Access policy if finer controls are needed.
Method 4: PowerShell
PowerShell is especially useful for automation in large IT environments. In this case, it can be used to automate the creation and management of CA policies.
📌 Use Case: Automation, scripting across environments, CI/CD integration
📌 Prerequisites: If you’re using PowerShell, you will also need the Microsoft Graph PowerShell SDK to create a location-based CA policy.
Follow these steps:
- Open PowerShell as an administrator.
- Create a conditional access policy using Microsoft Graph. To do this, connect to Graph PowerShell using this command:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
- Then, run this command to create a conditional access policy:
New-MgConditionalAccessPolicy -DisplayName "Block risky sign-ins outside HQ" `-Conditions @{ SignInRiskLevels = @("high"); Locations = @{IncludeLocations = @("AllTrustedLocations")} } `-GrantControls @{ Operator = "OR"; BuiltInControls = @("block") } `-State "Enabled"
- Use this command to manage named locations:
Get-MgIdentityConditionalAccessNamedLocation
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Incorrect definition of Location (Method 1) | Legitimate users may be blocked due to geographic misclassification. | Remove or update named locations; disable policy via emergency account. |
| Risk levels are set too low when defining Incorrect Sign-in risk or User risk (Method 1) | Excessive false positives and frequent user lockouts | Adjust policy thresholds and monitor with sign-in logs. |
| Typing errors or a wrong IP subnet when defining the location (Method 2) | Entire office location or service blocked | Edit the IP range from Admin Center and mark it as “Trusted” where appropriate. |
| Geo-IP inaccuracies or VPN masking locations during creation of country-based policies (Method 2) | Users blocked despite being in allowed locations | Mark trusted countries only and combine with other conditions like device compliance when applicable. |
| Setting risk level thresholds too aggressively, i.e., blocking on medium to low (Method 3) | Legitimate sign-ins flagged as risky due to false positives | Reconfigure risk level thresholds to Medium to High. |
Supporting methods that enhance compliance and enforcement of Conditional Access policies
While the first four methods in the previous section deal with directly enforcing or configuring policies, the three methods in this section are supplementary. These do not enforce risk-based or geolocation-based policies, but assist in ensuring compliance and correct enforcement.
Enforce IP restrictions or MFA prerequisites with Local Group Policy Editor
Group Policy Editor can be used to prepare endpoints to meet CA conditions, especially for hybrid environments.
- Open Group Policy Editor.
- Go to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
- Enable the following:
- Use biometrics
- Configure MFA as prerequisite
- Apply to OU with Conditional Access policies requiring compliant devices or MFA.
Configure device compliance prerequisites using Registry Editor
Registry Editor can be used as a supplementary method to support device compliance in Intune.
⚠️ Warning: Modifying the registry can cause system issues. Create a backup before proceeding.
- Open Registry Editor.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceCompliance.
- Configure the following values:
- RequireEncryption (DWORD): 1
- FirewallEnabled (DWORD): 1
- AntivirusEnabled (DWORD): 1
Once configured, this method ensures that the current device is marked compliant in Intune and satisfies conditional access requirements.
Verify access context via Command Prompt
Command Prompt can be used to get further context on location or compliance. To do this, open Command Prompt as an administrator and run the following commands:
- To check the IP address: ipconfig
- To resolve the current public IP: nslookup myip.opendns.com resolver1.opendns.com
- To validate join state: dsregcmd /status
The information gathered here can be used to validate why conditional access rules were triggered or not.
Best practices when enforcing conditional access policies on Azure AD
Here are some additional best practices to make conditional access policy enforcement more efficient and effective:
Use Report-only Mode
Test policies in report-only mode before enforcing them to prevent policy conflicts. As a rule, it is also good to review your existing conditional access policies to ensure compliance.
Policy scoping
Use exclusions for internal IPs or service accounts. This prevents over-restrictions and maintains productivity without compromising security. Marking appropriate IPs as “Trusted” is also part of policy scoping.
Have “break glass accounts”
Break glass accounts are special administrator accounts unrestricted by conditional access policies. These are crucial in case of a CA failure, misfire, or lockout. While unrestricted, break glass accounts must be strongly monitored and protected to prevent data breaches and cyberattacks.
NinjaOne services that improve Azure location-based and risk-based conditional access workflows
NinjaOne can enhance conditional access workflows without adding policy complexity through its services. These services include:
| NinjaOne service | What does it do? | How does it help the conditional access workflow? |
| Real-time alerts | Notify admins of sign-in attempts from untrusted locations or with elevated risk. | Real-time alerts enable IT administrators to respond quickly, especially in cases of conditional access violations and other suspicious activities. |
| Device state monitoring | Flag devices that fall out of compliance required for CA policies | IT administrators can easily track and ensure device compliance while maintaining organizational security through policies requiring a “compliant device” for access. |
| Automated remediation | Run scripts to bring devices into compliance (e.g., enable BitLocker or firewall). | Automated remediation minimizes the need for manual effort by bringing devices into CA compliance automatically. |
| Custom reporting | Allows administrators to export relevant information, such as CA event data, audit trails, and geolocation information. | IT administrators can access clear, comprehensive, and relevant data on Conditional Access activity to support their auditing and policy refinement processes. |
| Registry and policy deployment | Push CA-supportive configurations via registry or GPO to client devices | Prepares devices to meet CA prerequisites such as MFA, encryption, or firewall via automated configuration |
Strengthen your security posture with location and risk-based Conditional Access policies
Conditional access policies provide granular control over how and when users access organizational data based on risk and location. This step-by-step guide covers methods that use Microsoft Entra Admin Center, PowerShell, and supplementary methods using Group Policy Editor, Registry Editor, and Command Prompt for a comprehensive overview of the CA policy creation and enforcement process.
Related topics:
