Named Locations

Define trusted IP ranges and countries for use in Conditional Access policies. Named locations help you create location-based access rules to protect your organization while allowing access from known safe locations.

Named Locations List

Location Types

IP Ranges Location

Define specific IPv4 or IPv6 CIDR ranges. Use for corporate office IPs, VPN egress points, or known partner networks.

Example IP Ranges:

• 203.0.113.0/24 (Class C network)
• 198.51.100.50/32 (Single IP)
• 2001:db8::/32 (IPv6 range)

Countries/Regions Location

Define location by country or region using geo-IP database. Useful for blocking access from countries where you have no business presence.

• Select specific countries
• Include unknown countries/regions
• Determine location by IP address (GPS is not used)

Creating a Named Location

• Name — Descriptive name like “Corporate Headquarters”, “Remote VPN”, or “Blocked Countries”.
• IP Ranges (for IP location) — Enter CIDR notation ranges. Can add multiple ranges to one location. Supports both IPv4 and IPv6.
• Countries (for country location) — Select from list of countries and regions. Geo-IP determines user location.
• Mark as Trusted — Trusted locations can be used in CA policies to reduce MFA prompts or allow certain actions only from trusted IPs.

Trusted vs. Untrusted

Trusted Location

Mark corporate offices, VPNs, and known safe networks as trusted. Can be used in CA policies to skip MFA or allow risky operations.

• Skip MFA from trusted locations
• Allow legacy auth from trusted IPs
• Reduce Identity Protection risk score

Untrusted Location

Default for all locations. Use for blocking or restricting access. Partner networks or semi-trusted IPs should remain untrusted.

• Always require MFA
• Block sensitive operations
• Enhanced monitoring

Common Use Cases

Skip MFA from Office

Define corporate office IPs as trusted. Create CA policy to require MFA except when signing in from trusted locations.

CA Policy: Require MFA -> Exclude: Trusted locations

Block High-Risk Countries

Create country location with countries you don’t operate in. Block all access from these locations.

CA Policy: Block access -> Include: “Blocked Countries” location

Restrict Admin Access

Allow admin portal access only from corporate network and VPN. Admins must connect to trusted network for privileged operations.

CA Policy: Target admins -> Block except: “Admin Network” location

Partner Access

Define partner company IP ranges. Allow B2B guest access only from partner networks for enhanced security.

Best Practices

• Use specific IP ranges over countries — IP ranges are more precise. Country geo-IP can be inaccurate or spoofed via VPN.
• Include VPN egress IPs — If users connect via VPN, include VPN server public IPs in trusted location.
• Be cautious with “trusted” — Only mark truly controlled networks as trusted. Compromised trusted locations weaken your security posture.
• Review regularly — IP ranges change. Review named locations quarterly and update when office IPs or VPN infrastructure changes.
• Don’t skip MFA entirely — Even from trusted locations, consider requiring MFA for sensitive apps or admin operations.

Limitations

• Maximum 195 named locations per tenant
• Maximum 2000 IP ranges per IP-based location
• IPv6 requires /64 or larger CIDR blocks
• Geo-IP accuracy varies (city-level can be unreliable)
• VPNs and proxies can mask true location
• Location determined at sign-in, not during session

Graph API Endpoints

• GET /identity/conditionalAccess/namedLocations
• POST /identity/conditionalAccess/namedLocations
• PATCH /identity/conditionalAccess/namedLocations/{id}
• DELETE /identity/conditionalAccess/namedLocations/{id}

API Reference

• GET /api/security/named-locations — List all named locations
• POST /api/security/named-locations — Create named location
• PUT /api/security/named-locations/:id — Update named location
• DELETE /api/security/named-locations/:id — Delete named location
• GET /api/security/named-locations/:id/usage — Get CA policies using this location