top of page
Search

Complete Setup: Allow Sign-In Only from Approved Locations with Microsoft 365 Conditional Access

  • Hanna Korotka
  • Jun 12
  • 2 min read
Allow Sign-In Only from Approved Locations

Why “Allow Sign-In Only from Approved Locations” matters


If your staff work exclusively in the U.S. and Canada, there’s little reason to let accounts be used from São Paulo or Shanghai. A simple location-based Conditional Access (CA) policy lets you whitelist your “home turf” and silently block every other IP. No firewalls, no VPNs—pure Microsoft cloud controls that small and mid-size businesses can deploy in minutes.


Prerequisites


  • Microsoft Entra ID P1

  • Role: Security Administrator or Conditional Access Administrator.

  • A short list of countries where sign-ins should be allowed.


1 – Define your “approved locations”


  1. Sign in to the Entra admin center.

  2. Go to Identity > Protection > Conditional Access > Named locations.

  3. Select + Countries location.

  4. Name it Approved Countries.

  5. Tick each country or region you want to allow (for example, United States and Canada).

  6. Save.


Tip: If you need granular control down to office IPs, create an IP ranges location instead of a country list.


2 – Create the Conditional Access policy


  1. In Conditional Access > Policies click + New policy.

  2. Name: Enforce Approved-Location Sign-In.

  3. Assignments > Users: Include > All users → Exclude > break-glass/admin accounts.

  4. Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').

  5. Under Network.

    1. Set Configure to Yes

    2. Under Include, select Any network or location

    3. Under Exclude, select Selected networks and locations

      1. Select the allowed location you created for your organization - 'Approved Countries'.

      2. Click Select.

  6. Under Access controls > select Block Access, and click Select.

  7. Confirm your settings and set Enable policy to Report-only.

  8. Select Create to create to enable your policy.


This design blocks every location except the one you explicitly excluded—your approved list.


3 – Validate before you enforce


To see exactly how Conditional Access behaved for any sign-in, open the event itself — each entry shows which policies were enabled, which were only in report-only mode, and whether each policy was applied or not applied.


If everything looks correct after a full business day, edit the policy and change Report-only > Off and Enable policy > On.


Result


With one named location and one rule you now allow sign-in only from approved locations, cutting off unsolicited traffic worldwide and giving auditors a clear geo-access control.


How PlexHosted can help


As a Microsoft-certified MSSP, PlexHosted turns this quick win into a full Zero-Trust rollout—policy design, user comms, continuous monitoring, and monthly Secure Score reviews. Book a 30-minute call to see how fast we can lock down your tenant.



 
 
 

Comments


Get the Latest News to Your Inbox

bottom of page