iCompaas Support

Description:

Trusted locations in Azure Active Directory (AAD) are specific geographical locations or IP ranges that are considered secure and reliable for accessing organization resources. These trusted locations can be used in Conditional Access Policies to allow or block access based on the user's location, enhancing security by enforcing access restrictions from untrusted locations or unknown networks.

Rationale:

Defining trusted locations helps enforce access policies that allow or block access depending on whether the user is attempting to sign in from a trusted, known, or secure location. For example, an organization may want to allow employees to access resources only from corporate offices or specific regions, while blocking access from other locations or countries. This feature enhances security by reducing the likelihood of unauthorized access from suspicious or risky locations.

Impact:

Configuring trusted locations helps control and limit access to sensitive resources, ensuring that only approved locations can access certain applications or services. However, incorrectly configured locations can block legitimate users if they are working from new or remote locations. It is important to regularly review the list of trusted locations and ensure they are accurate and up-to-date.

Default Value:

By default, trusted locations are not defined in Azure Active Directory. You need to manually configure the trusted locations based on your organization's needs.

Pre-requisites:

• Azure Active Directory (AAD) subscription.
  

• Global Administrator or Conditional Access Administrator role permissions.
  

• Users and devices must be MFA-enabled if you plan to enforce policies based on trusted locations.
  

Audit:

1. Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Azure Active Directory > Security > Conditional Access.
   

3. Review the existing Conditional Access Policies and verify that trusted locations are defined under the Conditions.
   

Implementation Steps (Manual):

1. Sign in to the Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • In the Azure portal, go to Azure Active Directory > Security > Conditional Access.
     

3. Define Trusted Locations:
   

   • Under Conditional Access, select Named Locations.
     

   • Click on + New Location to define a new trusted location.
     

4. Configure Trusted Locations:
   

   • Choose IP Range or Country/Region to define trusted locations.
     

     • IP Range: Define a specific set of IP addresses or address ranges that are considered trusted. This is useful for allowing access from known office networks or VPNs.
       

     • Country/Region: Select countries or regions where access is allowed, such as trusted office locations or countries where your organization operates.
       

   • Provide a descriptive name for the location (e.g., "Corporate Office", "Main Office VPN").
     

5. Apply Trusted Locations to Conditional Access Policies:
   

   • After defining the trusted location, navigate to Conditional Access > Policies.
     

   • Choose the policy you want to apply the trusted location to (e.g., allow or block access based on location).
     

   • Under the Conditions section, select Locations and configure the policy to include your newly defined trusted locations.
     

6. Save and Test:
   

   • Save the policy and test by logging in from a device or IP address located within the trusted location. Ensure that access is allowed according to the policy.
     

   • Test by logging in from a non-trusted location to verify that access is blocked or restricted.
     

7. Monitor and Review:
   

   • Regularly review the named locations to ensure they are up-to-date with the current security requirements and organizational needs.
     

   • Use sign-in logs to monitor any denied or successful sign-ins that were based on location-based policies.
     

Backout Plan (Manual):

1. Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Conditional Access Policies:
   

   • Go to Azure Active Directory > Security > Conditional Access.
     

3. Remove or Modify Trusted Locations:
   

   • Under Named Locations, find the trusted location you want to remove or modify.
     

   • Click on the location and select Delete or modify the IP ranges or countries for the trusted location.
     

4. Test Reverted Access:
   

   • After modifying or removing the trusted location, test access to ensure the changes have been applied and that users are either allowed or denied access based on the updated location settings.
     

5. Review Conditional Access Policies:
   

   • Ensure that the changes are reflected in the relevant Conditional Access Policies and that users' access is correctly managed according to the new configuration.
     

References:

• Azure AD Conditional Access - Named Locations
  

• Configure Conditional Access Policies in Azure AD