Geo-Locking Access: Securing Microsoft 365 Logins by Region and IP

Nowadays, remote work and working from home are becoming standard policies for companies to reduce work pressure and promote a healthy work-life balance. However, accessing a company’s confidential data from anywhere can pose a potential threat to data security. To mitigate this risk, it is both effective and secure to restrict data access or logins to specific regions or IP addresses—something that can be achieved using Conditional Access policies offered by Microsoft.

In this article, we will walk you through the step-by-step process of configuring these policies and enforcing region/IP-based access restrictions in Microsoft 365 via the Microsoft Entra Admin Center, ensuring that only trusted locations can access your company’s data.

Why should we restrict access by location or IP?

By default, any user can access their Microsoft 365 (M365) account from any device, at any time, and from anywhere. While it is flexible for the users, it also increases security risks. Configuring this policy helps reduce the chances of unauthorized access or cyberattacks.

Additionally, enforcing this policy enables the company to uphold its internal security standards and prevent users from misusing the work-from-home or hybrid structure—while simultaneously protecting accounts from potential cyber threats.

PREREQUISITES:

1. Microsoft Entra ID P1 or P2 license
2. Admin access to Entra admin centre

CONFIGURATIONS:

[A] Before configuring the policy, first we have to add defined named locations or IP address

To do that, kindly follow the steps.

• Go to https://entra.microsoft.com/ and sign in with your global admin ID
• Navigate to Entra ID---conditional access----named location

• Create Named location:

(a) IP Address: You can specifically mention IP Address that you want to allow for login

• Select “+IP ranges location”---provide a name and input the IP Address--- then select “Create”

(b) Countries location: You can also mention the Country that you want to allow for login

• Select ” countries location”--- provide a name and select the country, and then select “Create”

[B] Now, lets create the policy based on the location:

Again from the entra admin centre, navigate to Entra ID---conditional access---policies---“+New Policy”

• Set a policy name: For example, “Restrict Sign in outside India”
• Users: You can either add specific users and groups in the include section or can select all users from the organisation. And if you want any exclusions for any ID, add that ID [maybe owner. Director, manager] under the exclude section which specifies that the rule will not be applicable for those ID’s.
• Target Resources: Will include all cloud apps of M365
• Network: We will add the secured location in the “exclude” section which implies that the sign in will get blocked from all over the world except the location mentioned in the excluded section.
• Access Control: Under Grant---select Block Access
• Create: Select Create once done and your policy is ready to Go!

Tips:

• First start the policy in report only mode, once done then switch it to ON for the entire organization
• It will be better to exclude the global admin ID so that if any issue occurs in the policies, the concerned person may login and change/update the policy accordingly677

Conclusion:

Restricting access to Microsoft 365 (M365) accounts is an efficient and strategic step toward Zero Trust security. It reduces the risk of attacks and ensures that sign-ins occur only from known and trusted locations.

This approach is not just about limiting flexibility—it also enhances control and visibility over where and how your data is being accessed.