Description:

Ensure trusted locations are defined in Microsoft Entra ID Conditional Access policies to identify known and secure network locations, such as corporate public IP ranges. Trusted locations enable Conditional Access to distinguish between trusted and untrusted sign-in attempts, improving access control decisions and strengthening identity protection.


Rationale:

Without defined trusted locations, Conditional Access policies cannot reliably distinguish between trusted and untrusted sign-in sources, increasing the risk of unauthorized access and credential-based attacks. Defining trusted locations improves risk evaluation, strengthens access control decisions, and supports a Zero Trust security posture.


Impact:

Defining trusted locations improves the accuracy of risk-based Conditional Access decisions, reduces the risk of unauthorized access from unknown networks, enables effective enforcement of trusted versus untrusted access policies, strengthens Zero Trust and identity governance strategies, and supports compliance requirements related to identity security.


Default Value:

By default, Microsoft Entra ID does not have any trusted locations configured.


Pre-Requisites:

  • Documented corporate public IP address ranges

  • Microsoft Entra ID P1 or P2 license for Conditional Access


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

  4. Under the Manage section, open Named locations

  5. Verify that at least one trusted location is defined with corporate public IP address ranges

                                       

  1. If trusted locations are not defined, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the manage section, Select Security

                             

  1. Under the manage section, Open Named locations.

            

  1. Select New location

  2. Enter a name for the trusted location

  3. Select the IP ranges location

  4. Add the corporate public IP address ranges

  5. Mark the location as trusted

  6. Save the configuration

Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

  4. Under the Manage section, open Named locations

  5. Select the trusted location created or modified

  6. Delete the trusted location or remove the added IP address ranges

  7. Save the changes

Reference: