🛡️ Microsoft Entra ID Named Locations are not defined🟢⚪
- Contextual name: 🛡️ Named Locations are not defined🟢⚪
- ID:
/ce/ca/azure/microsoft-entra-id/named-locations - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Description
Description
Microsoft Entra ID Conditional Access allows an organization to configure
Named locationsand configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.Rationale
Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges.
Impact
When configuring
Named locations, the organization can create locations using Geographical location data or by defining source IP addresses or ranges. ConfiguringNamed locationsusing a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on thoseCountries locationsetting will not be able to use theAll trusted locationssetting within the Conditional Access policy. They instead will have to rely on theSelect locationssetting. This may add additional resource requirements when configuring, and will require thorough organizational testing.... see more
Remediation
Remediation
From Azure Portal
- In the Azure Portal, navigate to
Microsoft Entra ID.- Under
Manage, clickSecurity.- Under
Protect, clickConditional Access.- Under
Manage, clickNamed locations.- Within the
Named locationsblade, click onIP ranges location.- Enter a name for this location setting in the
Nametext box.- Click on the
+sign.- Add an IP Address Range in CIDR notation inside the text box that appears.
- Click on the
Addbutton.- Repeat steps 7 through 9 for each IP Range that needs to be added.
- If the information entered are trusted ranges, select the
Mark as trusted locationcheck box.- Once finished, click on
Create.From PowerShell
Create a new trusted IP-based Named location policy:
[System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.IpRange]]$ipRanges = @() $ipRanges.Add("<first IP range in CIDR notation>") $ipRanges.Add("<second IP range in CIDR notation>") $ipRanges.Add("<third IP range in CIDR notation>") New-MgIdentityConditionalAccessNamedLocation -dataType "#microsoft.graph.ipNamedLocation" -DisplayName "<name of IP Named location policy>" -IsTrusted $true -IpRanges $ipRanges
... [see more](remediation.md)
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v2.1.0 → 💼 1.2.1 Ensure Trusted Locations Are Defined - Level 1 (Manual) | 1 | no data | |||
| 💼 CIS Azure v3.0.0 → 💼 2.2.1 Ensure Trusted Locations Are Defined (Manual) | 1 | no data | |||
| 💼 CIS Azure v4.0.0 → 💼 6.2.1 Ensure that 'trusted locations' are defined (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 General Access Controls | 11 | no data |