In this post I will cover the topic on how to restrict the access to Azure Portal from external network using Conditional Access Policy. When we say restricting the access from external network – means we are talking about location / IP address range. If organization is having Active Directory installed, they already have Active Directory sites and services with all AD sites specified. These AD Sites (can be called location) will be having list of IP subnets defined for each. Based upon our requirement we can add create the Named Locations through Conditional Access settings and can specify the IP address subnets and can mark them as trusted location.

How to block access to Azure Portal from outside Location / IP address

We will have to do couple of settings which is related to Conditional Access. Before that we need to understand what IP addresses and locations we wanted to allow. Let’s pick an example, we have Australia under Active Directory Sites and Services on you on-premises Domain Controller.

The screenshot below shows AD Site name as AUS including 3 subnets:


102.215.100.0/24
192.168.1.0/25
192.168.2.128/25

We are now going to create named location with name Australia while adding above mentioned 3 IP subnets under it.

Login to Azure Portal and navigate to Azure AD Conditional Access. Click on Named locations. Alternatively this can also be accessed through Microsoft Endpoint Manager Admin Center > Home > Devices > Conditional Access.

Under Named locations, we have multiple options:

  • Countries location
  • IP ranges location
  • Configuration MFA trusted Ips
Conditional Access Named locations

Click on IP ranges location to open New location (IP ranges) blade and provide name as Australia, click on Plus (+) icon to enter a new IPv4 or IPv6 range. You should be using CIDR notation format. You may use following link to check which IP address range will be covered under CIDR

Provide 102.215.100.0/24 and click on Add.

New location (IP ranges)

Note: You can add single IP address by using /32 as subnet mask. For example: 192.168.1.50/32, one single IP address will be added nothing less nothing more.

Repeat the process again to add all IP addresses. Once done, check the box Mark as trusted location and click on Create.

Mark as trusted location

We are done with creating the Named location with the name Australia having all IP ranges specified.

Conditional Access Named locations

Create Conditional Access policy to restrict access from external location

The purpose of this Conditional Access policy is to block access to Microsoft Azure Management for all locations and to exclude all All trusted locations which we created earlier.

Under Conditional Access, click on Policies > New policy and select Create new policy.

CA Policy

Provide the name as “Restrict access to Azure portal external network”. Under Assignments, click on Include to specify All users.

Click on Exclude and specify atleast one user or group so as you are not lock down yourself.

Restrict access to Azure Portal External network

Click on Cloud apps or actions, select apps and specify Microsoft Azure Management out of list of all other cloud apps. While selecting Microsoft Azure Management, we are including multiple services such as:

client apps Microsoft Azure Management
  • Azure portal
  • Azure Resource Manager provider
  • Classic deployment model APIs
  • Azure PowerShell
  • Azure CLI
  • Visual Studio subscriptions administrator portal
  • Azure DevOps
  • Azure Data Factory portal
cloud apps or actions

Click on Conditions, under Device platforms configure it as Yes and select Any device which will include all device platforms such as Android, iOS, Windows Phone, Windows, macOS.

Device platforms any device

Under Locations, include “Any location” as we are interested to block the access for all location.

CA Policy restrict location

However, we wanted to allow the access from trusted location hence click on Exclude and select All trusted locations.

CA policy exclude all trusted locations

Under Access controls, click on Grant and select Block access.

Block access

Verify the all the information we have specified, under Enable policy click on On as by default Report-only is selected which is actually a very good option to go first where Conditional Access policy will not apply but will generate a report to see whether this policy would have been applied with Success or failure if it was enabled.

As I am good and confident about the settings I have made, and also I have excluded one specific user (which is my break glass account) for which policy will not apply.

CA Policy Enable policy On

This will also give you option with message “Don’t lock yourself out” and to Exclude current user from this policy. Going with this option can also exclude current user for applying this Conditional Access policy. I will be proceeding with 2nd option as I have 1 account already added. Click on Create.

 Verify the CA Policy

Verify the Conditional Access policy to see, login to Azure portal with any IP address which we haven’t specified in named location. When trying to login, we see following error:

You cannot access this right now
Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your domain.
You cannot access this right now

And in this case location restriction is the which is preventing us to login to Azure Portal.

For troubleshooting Conditional Access issues to see whether policies are applying or not, navigate to Conditional Access > Monitoring > Sign-in logs