Complete Setup: Allow Sign-In Only from Approved Locations with Microsoft 365 Conditional Access
- Hanna Korotka
- Jun 12
- 2 min read

Why “Allow Sign-In Only from Approved Locations” matters
If your staff work exclusively in the U.S. and Canada, there’s little reason to let accounts be used from São Paulo or Shanghai. A simple location-based Conditional Access (CA) policy lets you whitelist your “home turf” and silently block every other IP. No firewalls, no VPNs—pure Microsoft cloud controls that small and mid-size businesses can deploy in minutes.
Prerequisites
Microsoft Entra ID P1
Role: Security Administrator or Conditional Access Administrator.
A short list of countries where sign-ins should be allowed.
1 – Define your “approved locations”
Sign in to the Entra admin center.
Go to Identity > Protection > Conditional Access > Named locations.
Select + Countries location.
Name it Approved Countries.
Tick each country or region you want to allow (for example, United States and Canada).
Save.
Tip: If you need granular control down to office IPs, create an IP ranges location instead of a country list.
2 – Create the Conditional Access policy
In Conditional Access > Policies click + New policy.
Name: Enforce Approved-Location Sign-In.
Assignments > Users: Include > All users → Exclude > break-glass/admin accounts.
Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').
Under Network.
Set Configure to Yes
Under Include, select Any network or location
Under Exclude, select Selected networks and locations
Select the allowed location you created for your organization - 'Approved Countries'.
Click Select.
Under Access controls > select Block Access, and click Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to create to enable your policy.
This design blocks every location except the one you explicitly excluded—your approved list.
3 – Validate before you enforce
To see exactly how Conditional Access behaved for any sign-in, open the event itself — each entry shows which policies were enabled, which were only in report-only mode, and whether each policy was applied or not applied.
If everything looks correct after a full business day, edit the policy and change Report-only > Off and Enable policy > On.
Result
With one named location and one rule you now allow sign-in only from approved locations, cutting off unsolicited traffic worldwide and giving auditors a clear geo-access control.
How PlexHosted can help
As a Microsoft-certified MSSP, PlexHosted turns this quick win into a full Zero-Trust rollout—policy design, user comms, continuous monitoring, and monthly Secure Score reviews. Book a 30-minute call to see how fast we can lock down your tenant.
Comments