Like my previous blogpost on Conditional Access are this a setting not in Intune – but directly a AzureAD feature (Preview)

Now we just have to get around that Conditional Access is not only a question about compliance on the device – but the conditional can also be based on location.

This is pretty cool if you need to block all access to O365 based on location or just require MFA when your outside your company.


To configure this you need to go into the AzureAD portal

Go into your AzureAD directory -> Applications

AzureAD 01

Find the Office 365 application

AzureAD 02

Go into configure

AzureAD 03

Set the “Enable Access rules” to on

AzureAD 04

Apply it to all users or a specific group (I have a Except group also – so that it not conflict with my Conditional Access in my Intune)

Select “Block Access when not at work”

AzureAD 05b

In the “Click here to define/edit your network location” you will be taken to your Azure MFA setting page

Network Location 01

If you have not configured your “Skip multi-factor authentication…” then you have to put in your outside IP range for the company.

Network Location 02

How does this look likes for a user perspective in a webbrowser when trying to access

ems3 user bloked 01

Just login as normal – and you get access to your application list – start the mail.

ems3 user bloked 02

Then you get blocked if your not accessing O365 from the IP scope you have defined in the MFA settings.

ems3 user bloked 03

I you click “More details” you can see a list of information – and one of them is what IP address your come from.

ems3 user bloked 03a


Remember this is a feature in preview – but you can start testing 🙂