Conditional Access Grant rule based on username and location only no other limiters? Location for IPV6?

Brian Hoyt 91 Reputation points
2020-03-30T22:03:53.287+00:00

I am trying to setup a few simple rules. I work at a school and access is almost all US with a little bit of France. I started by making a block rule for all locations other than US and France. That seems to have worked great. However I now have students a few different countries during school closures. What I wanted to do is create grant rules for specific usernames and locations. It seems the only way to have a grant rule is to add other conditions like MFA. I just want a grant rule with no other limiters beyond username and location.

The other problem is it seems some users are coming in via IPV6 (maybe cell phones) with no location data and are getting blocked. How do I deal with that other than allowing unknown locations?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,771 Reputation points Microsoft Employee
    2020-03-31T10:12:31.083+00:00

    @Brian Hoyt , Unfortunately, just providing a grant is not possible, along with grant you would have to select one of the options available otherwise the CA policy would not work as expected.

    Secondly, there is no way for setting conditions for IPV6 as of now in CA policy. You would have to go by location as a filter using named location.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments
  2. Brian Hoyt 91 Reputation points
    2020-03-31T18:24:09.397+00:00

    Thanks for the answers, disappointing I will say. It seems that there should be a way to do grants for specific situations like users traveling without just unblocking the entire country. Is there another way to do what I am trying to do.

    The IPV6 issue is more concerning. I just have to let in all IPV6 traffic? So the hackers just have to use IPV6 and they can bypass CA totally? Many of my users are coming inbound via IPV6 on cell phones. This seems bad.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.