Azure AD and Named Locations

I am at the beginning of implementing Azure AD Premium in an environment and got hung up on the simple task of configuring Named Location for Conditional Access. Now, this was a minor nuisance at best, but thought I would outline what happened as the Microsoft documentation is a bit misleading.

As a background for those of you unfamiliar, Named Location is a feature of Azure AD Premium that lets you define know locations in your AD tenant. This is used for with Identity Protection and login risk assessments. It can also be part of Conditional Access. For example, don’t force MFA when a user logs in from a Named Location. More information can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-named-locations

I had a significant number of subnets to add so I began the search for a PowerShell command to automate the process. None found, so I opted for the copy and paste method. Less of a chance for me to transpose numbers with this way anyhow.

Microsoft Class C Named LocationAs I began I noticed something interesting on the link referenced above. The IP address in the example is a non-routable Class C 192.168.1.1 address. This is counter intuitive as Azure AD should only see the routable public IP, but the documentation doesn’t specify public or internal subnet. Also, this private subnet could be used on any network, making conditional access unpredictable.

Turns out this is just a poor choice of an example in the documentation. As reported in the link below from WinIT Pro, you need to enter the public NAT IP or subnet in the CIDR format.
http://windowsitpro.com/azure/ip-ranges-azure-ad-premium-conditional-access

Adding a single IP would look like this:
8.8.4.4/32

Adding a subnet will look like this:
8.8.8.0/24

As I mentioned, I did not find a PowerShell command for this. There is an upload function in the portal however. If you have a lot of address spaces to add, you can create a text file with one subnet or IP per line and upload it instead of adding IP’s one at a time. If we were adding the text above for example, the context of the text file would look like this:
8.8.4.4/32
8.8.8.0/24

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.