Conditional access – block users from a specific corporate office location for accessing cloud apps.

Sometimes we need to set some conditions for which users that most gain access to certain areas of our IT services or cloud apps. In this test lab we will make a conditional access (CA) rule though Intune that provending a little group of users from our main office in Denmark to access Microsoft teams. The group of user are IT student with a Microsoft 365 E5 license.

Note: Conditional Access is an Azure Active Directory capability that is included with an Azure Active Directory Premium license (AAD P1 Licenses).

  • Start logging into the Intune portal -> https://devicemanagement.microsoft.com/
  • Click on Conditional acces and choose Name Locations.
  • Now give name location a NameDefine the location using Countries in our case (DK) and mark Include unknown areas as well then click Save.

Note: For general use of Intune you must have one of these licenses – See picture below:

IntuneIntuneLearn more
Enterprise Mobility + Security E3IntuneLearn more
Enterprise Mobility + Security E5IntuneLearn more
Microsoft 365 Education A1Intune for EducationLearn more
Microsoft 365 Education A3Intune for EducationLearn more
Microsoft 365 Education A5Intune for EducationLearn more
Microsoft 365 E3IntuneLearn more
Microsoft 365 E5IntuneLearn more
Microsoft 365 F1IntuneLearn more
Microsoft 365 BusinessIntuneLearn more

Note: To manage Intune for Cteate, modify or delete content the role of Conditional Access administrator or global administrator is needed.

  • Check the locaion just added under Conditional Acccess – Names locations.
  • Now Create a Terms of use (Optional) – Under Conditional Access click Terms of use and click New.
  • Fill out the requied feilds of the terms of use and click Create.

Note: It is overall a good idea is to create a terms of use. The end users will be well informed and needs to accept the terms before they can procced login. (Optional conditional setting under the Grant Access tab)

The terms of use will only apply to cloud apps where its has been marked under Grant access. Block access cannot have any controls marked . See picture below:


  • Now create the Conditional Access policy – Give it a Name then select which Users or groups this CA should be assigned to – Click Done. (See Next Picture point to create a Azure AD Secuirty Group if needed)
  • Logon to Azure portal – > https://portal.azure.com/ go Azure AD and then click Groups – Click New Group – Select Security group and apply needed information – Click Create.

Note: The security group is created with a dynamic query with job title equals to IT students, so all users with that title will automatically be member of this security group and therefore get the Conditional Access policy applied. Notice some dynamic rules can take up to 24 hours to sync.

Microsoft lets get a ability to trigger a dynamic group update on the fly please?.

  • Now define which cloud app this should consider – In this case Microsoft Teams is our choice for testing – Click Done.
  • Now select Conditions – Device platforms select Any device – Locations select the location just created earlier in this case Clouddeployment headoffice – Click Done.

Note: Its possible to create trusted locations based on IP addresses. A hole range of IPs can be added.

  • Select Clien apps (Preview) – Mark Browser, Mobile apps and desktop clients and Modern authentication clients – Click Done.

Note: Browser – Mobile apps and desktop clients and Modern authentication clients will be affected.

  • Go to Access controls – Mark Block access – Click Select.
  • Now Enable policy and click Create.

Note: Now this policy are enforced and hits the target group and user members.

  • Check to Conditional Access tab to see all enabled policies.
  • Now its not possible for the small group of IT studens to get access to Microsoft Teams from Browser or client apps.

Note: Sorry for the danish language its just saying that we cannot get access to the resource because of a CA policy.

  • Others users with grant access will get Terms of use (if marked)
  • This terms of use is coming from a custom made PDF document. Click Accept.

Happy deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *