Skip to Content

Conditional Access and Named Locations in Microsoft Entra ID – A Technical Deep Dive Lab (EID-EXP-010)

28 March 2026 by
Jaspreet Singh

Introduction

Microsoft Entra ID Conditional Access serves as the primary enforcement layer for identity security in modern cloud environments.

A common configuration pattern across organisations includes:

  • Require MFA for external access.
  • Exclude trusted Named Locations (corporate networks)

This approach assumes network location is a reliable trust signal. 

In hybrid identity environments, this assumption can introduce significant security implications. 

This article provides a technical analysis of how Conditional Access evaluates Named Locations through controlled lab testing.

Conditional Access Evaluation Process

Conditional Access policies are assessed after primary authentication and consider several key signals:

  • User identity
  • Application accessed
  • Device state
  • Location, based on IP address
  • Risk signals, if enabled  (Conditional Access in Microsoft Entra ID, 2026)

Simplified Evaluation Flow

User Login → Entra Authentication → Signal Evaluation → Conditional Access → Grant / Block

If you set up Named Locations, the user's location will play a significant role in the decision-making process.

Named Locations: Overview and Functionality

Named Locations are defined using:

  • Public IP ranges
  • Countries/regions

When designated as “trusted,” these locations serve as an implicit trust signal during policy evaluation. (Conditional access policy location condition - Microsoft Entra ID, 2024)

Key Behavior

If an IP address belongs to a trusted location, apply relaxed controls, such as not requiring multi-factor authentication.

Otherwise, apply stricter controls, such as requiring multi-factor authentication.

(Multi-Factor Authentication Conditional Access Service Overview, 2024)

Lab Configuration (Hybrid Identity)

The lab was configured as follows:

  • Active Directory (on-prem)
  • Azure AD Connect (Password Hash Sync)
  • Microsoft Entra ID tenant

  • Conditional Access policy:

    • Require MFA
    • Exclude Trusted Named Location

No additional controls:

  • No device compliance
  • No risk-based policies

This configuration isolates location as the primary variable.

Observed Results

Scenario 1 – Trusted Location Authentication

  • The source IP matched a trusted named location.

  • Conditional Access evaluation:

    • Location was identified as trusted.
    • The MFA requirement was skipped.

As a result, authentication succeeded without MFA.

Scenario 2 – External Authentication

  • The source IP did not match a trusted named location.

  • The Conditional Access Location was identified as untrusted.

    • The MFA requirement was enforced.

As a result, an MFA challenge was triggered.

Sign-In Logs Analysis

Entra sign-in logs offer detailed insights.

Key fields:

  • IPAddress
  • Location
  • Conditional Access Status
  • Authentication Requirement (Conditional Access and Microsoft Entra activity logs - Microsoft Entra ID | Microsoft Learn, 2024)

Example Observation

Trusted Location Login:
Authentication Requirement = Single Factor

External Login:

Authentication Requirement = Multi-Factor Authentication

This confirms that location directly affects authentication strength.

Security Implications

1. Location Is Not a Strong Security Boundary

Named Locations rely only on the following:

Public IP address

They do not validate the following:

  • Device posture
  • User behavior
  • Network integrity (Conditional Access Policy: Using Network Signals - Microsoft Entra ID, 2025)

2. Trust Is Implicit, Not Verified

When a location is designated as trusted,

Conditional Access assumes legitimacy.

There is no verification of the following:

  • Whether the network is compromised
  • Whether traffic is proxied
  • Whether the user is legitimate (Conditional Access Policy: Using Network Signals - Microsoft Entra ID, 2025)

3. Authentication Strength Becomes:

This results in inconsistent enforcement:
  • Inside network → weaker authentication
  • Outside network → stronger authentication

4. VPN and Cloud Infrastructure Risks

Attackers can:

  • Use VPN endpoints
  • Leverage cloud-hosted infrastructure
  • Appear from trusted IP ranges.

This can result in:

Potential MFA bypass scenarios (Conditional Access Policy: Using Network Signals - Microsoft Entra ID, 2025)

Common Misconfigurations

Misconfiguration 1

Excluding trusted locations from MFA requirements entirely.

Misconfiguration 2

Relying solely on location for access decisions.

Misconfiguration 3

Not combining location with device compliance or risk signals.

Recommended Architecture (Zero Trust Alignment)

Instead of relying on network-based trust, organizations should:

1. Enforce MFA Universally

Require MFA for all users and all locations.

2. Add Device-Based Controls

Require the use of compliant devices.
Require hybrid-joined devices where applicable.

3. Use Risk-Based Conditional Access

If sign-in risk is detected, require MFA.
If user risk is detected, block access or require a password reset.

4. Integrate authentication monitoring with the following:

  • Microsoft Sentinel
  • Entra Identity Protection
  • Defender for Identity

When Named Locations Still Make Sense

Named Locations can still be used for:

  • Policy scoping, rather than establishing trust
  • Blocking high-risk countries
  • Conditional policy targeting

However, they should not be used as a primary security control.

Key Takeaway

Named Locations are a convenience feature and should not be considered a security boundary. (Conditional Access named locations in Microsoft Entra ID, 2026)

Conditional Access is significantly stronger when location is treated as one of many signals, rather than as a primary trust anchor.

Conclusion

This lab demonstrates that:

  • Conditional Access decisions can be heavily influenced by location.
  • Trusted locations can reduce authentication requirements.
  • Over-reliance on network trust introduces risk.

In modern identity security architectures, organizations should adopt a Zero Trust model, where:

No location is inherently trusted


References

(2026). Conditional Access in Microsoft Entra ID. Microsoft Entra ID Documentation. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

(2025). Conditional Access Policy: Using Network Signals - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition

(2024). Conditional access policy location condition - Microsoft Entra ID. Hexnode. https://www.hexnode.com/mobile-device-management/help/blog/conditional-access-policy-location-condition/

(2024). Multi-Factor Authentication Conditional Access Service Overview. NHSmail Support. https://support.nhs.net/knowledge-base/mfa-ca-service-overview/

(2024). Conditional Access and Microsoft Entra activity logs - Microsoft Entra ID | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies

(2025). Conditional Access Policy: Using Network Signals - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

(2025). Conditional Access Policy: Using Network Signals - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition

(2025). Conditional Access Policy: Using Network Signals - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition

(2026). Conditional Access named locations in Microsoft Entra ID. Microsoft Entra ID Documentation. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-based-conditions

Jaspreet Singh 28 March 2026
Share this post
Tags
Our blogs
Hybrid Identity Security Baseline – Deep Dive into Azure AD Connect and Entra ID Authentication (EID-EXP-009)