Systems Admin

Blocking Access from Specific IP Addresses Using Conditional Access in Microsoft Entra ID

7 min read Part of pathway: Microsoft Entra ID Security

Sometimes the right policy is just block — not “require MFA,” not “require compliant device,” but a hard no. Common scenarios: an IP range tied to a known-malicious VPN, a country you have no business in, a competitor’s office network. Conditional Access can take any IP range or geographic region you define and refuse all sign-ins from it — for one user, a group, or your whole tenant.

This guide blocks a single IP for a single test user (the safe way to learn the mechanics), then explains the Block always wins rule that surprises people the first time they read sign-in logs after multiple CA policies overlap.

Phase 1 — define the named location

You can’t reference an IP in a policy unless it’s a named location first. Named locations are reusable buckets — create one named location, reference it in many policies.

Entra Conditional Access Named locations page with the existing locations listed and the option to add a new location at the top
Phase 1: Protection > Conditional Access > Named locations. This is where you define IP ranges (and country/region buckets) that policies can target.

Entra admin centre > Protection > Conditional Access > Named locations (under Manage).

New IP ranges location dialog with name set to Blocked VPN IP and the public IP address being entered before clicking Create
+ IP ranges location. Name it (e.g. Blocked VPN IP), enter the public IP / CIDR, Create.

+ IP ranges location. Name it something self-documenting like Blocked VPN IP or Hostile_Range_Q2_2026. Click + and enter the public IP / CIDR you want to block. Create.

Notes:

  • Single IP: enter 203.0.113.7/32 — the /32 means “this exact IP, nothing else”
  • Range: 198.51.100.0/24 = 256 addresses (198.51.100.0 to 198.51.100.255)
  • Mark as trusted? No — that’s for IPs you trust (corporate offices), the opposite of what we’re doing here
  • For country/region blocks, choose Countries location instead and pick from the list

Phase 2 — build the block policy

Conditional Access dashboard > Policies > + Create new policy. Name it VPN Block (or whatever describes the intent).

Conditional Access policy Users blade Include tab with conaccess test user selected as the target for the block policy
Phase 2: new policy > Users > Include > Users and groups > pick the test user.

Users > Include > Users and groups > pick the test user (conaccess@…).

For production, target a group instead of a user — group membership is easier to audit and less brittle than baking individual users into policies.

Conditional Access policy Target resources blade with All cloud apps selected to ensure full tenant block coverage
Target resources > All cloud apps. Don’t scope to specific apps — if you’re blocking a hostile IP, slam the door on the entire tenant. Specific-app blocks leave a pivot path.

Target resources > All cloud apps.

Same reasoning as the MFA-for-admins policy — if you’re blocking a hostile IP, you want the door shut on every Microsoft surface, not just one or two apps. Specific-app blocks leave attacker pivot paths.

Conditional Access policy Conditions blade with Locations Configure toggled to Yes Include tab showing Selected locations and Blocked VPN IP chosen
Conditions > Locations > Configure: Yes > Include: Selected locations > pick the named location from Phase 1 > Select.

Conditions > Locations:

  • Configure: Yes
  • Include tab > Selected locations
  • Pick the named location from Phase 1 > Select

The Exclude tab lets you carve out exceptions (e.g. include “All trusted locations” but exclude one specific office). Not needed here.

Conditional Access policy bottom of the page with Grant set to Block access Enable policy on and Create button highlighted
Grant > Block access > Select. Session: leave blank (no session = nothing to control). Enable policy: On > Create.

Grant > Block access > Select. Session: leave blank (no session = nothing to control). Enable policy: On > Create.

Phase 3 — test the block

Route the test machine through the blocked IP — usually means connecting to a VPN endpoint that exits at that IP, or testing from a machine on that subnet. Confirm with https://api.ipify.org/ that your public IP is now the blocked one.

Sign-in page with the username and password being entered while the test machine is connected to the blocked VPN IP
Phase 3: route the test machine through the blocked IP (VPN to that endpoint). Open myaccount.microsoft.com, type the username and password.

Open an InPrivate / Incognito browser > myaccount.microsoft.com > type the username and password > Sign in.

Block screen showing You cannot access this right now Your sign-in was successful but does not meet the criteria to access this resource
The block fires immediately: “You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource.” Notice it says sign-in successful — the password was correct, but Conditional Access blocked the access grant.

Hit a wall: “You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource.”

Note the wording: sign-in was successful — the password was correct. The block happened at the access grant step, after authentication but before the user gets into anything. Important distinction for log analysis.

Phase 4 — read the sign-in logs (and the Block-always-wins surprise)

Sign-in logs page showing the failed login entry with Failure status from the conaccess user being blocked by the policy
Phase 4: Sign-in logs > locate the failed entry from the test user.

Monitoring & health > Sign-in logs > click the failed entry. Allow 2–5 min for ingest delay.

Sign-in log details Conditional Access tab showing the VPN Block policy with User Resource matched and Grant Block result
Conditional Access tab > VPN Block policy — User and Resource Matched, Grant Control = Block. Policy fired exactly as designed.

Conditional Access tab > click VPN Block. User and Resource Matched, Grant Control = Block. Policy worked exactly as designed.

Sign-in log details Conditional Access tab for the For security admin roles MFA policy showing Not Satisfied because Block already won the evaluation
Same sign-in > click the previous MFA-for-admin policy — it shows Not Satisfied. This is not a bug. The Golden Rule of CA is Block always wins — once the Block policy fired, Entra stopped evaluating, never asked for MFA, so the MFA requirement was technically not satisfied. Working as intended.

Now click your other CA policy (the MFA-for-admins one from Part 7). It shows Not Satisfied.

This is not a bug. It looks like a bug the first time you see it. It’s actually the Block always wins rule.

The Block-always-wins rule, explained

When a sign-in attempt arrives, Entra evaluates every CA policy that applies to the user / app / conditions. In our test:

  • Policy A (MFA for admin roles) applies — user is in Security Admin role — would require MFA
  • Policy B (VPN Block) applies — user is at the blocked IP — would block

The moment Entra sees any Block result, it stops evaluating, denies the sign-in, and writes the result. The MFA policy never got a chance to fire its prompt — so technically the MFA requirement was not satisfied. The log accurately reports both: Block fired (Block), MFA never asked (Not Satisfied). Working as intended.

Practical implication: don’t panic when you see “Not Satisfied” alongside “Block” in the same sign-in. It’s the system saying “I didn’t bother because the answer was already no.”

Things that bite people

Blocked yourself

You define a named location with your own office IP, you target your own admin account, you click Create — and now you can’t sign in to fix the policy. This is why break-glass exclusions matter for every CA policy that affects an admin account. Always exclude an emergency-access account that lives outside your normal admin group, with credentials stored offline. Test the break-glass account quarterly so you know it works.

IP blocked but user still gets in — check the IP path

The user’s “public IP” is whatever exits to the internet. If they’re behind a corporate proxy / NAT / VPN that exits at a different address than what you blocked, the policy won’t fire. Always confirm the actual seen IP using the Sign-in log → Basic Info tab (look at the IP address column).

Country block too aggressive

Country location buckets cover everyone routed through that country’s IPs — including legitimate travelers, mobile carriers that route through unexpected countries, and VPN exit nodes. Don’t country-block without an Exclude carve-out for “All trusted locations” or for specific user groups (e.g. exclude your sales team who travel internationally).

Forgot Conditions > Locations

Building a policy named “VPN Block” but forgetting to actually configure the Locations condition produces a policy that blocks the user from everywhere. Always sanity-check by reading the policy summary on the Conditional Access dashboard — under Conditions it should explicitly say “Locations: Selected locations / Blocked VPN IP”.

Block policy + Report-only mode

If the policy is set to Report-only, the block does NOT actually block — it just logs what would have happened. Useful for testing, dangerous if you forget to flip it to On for production.

What’s next

You now have MFA enforcement, IP blocking, and the audit visibility from Part 6. The next post in the Entra ID Security pathway moves into Privileged Identity Management (PIM) — how to make admin role assignments time-bound and approval-gated so that nobody walks around with permanent Global Admin.

Tags: #Conditional Access #Ip Blocking #Microsoft Entra ID #Named Locations #Security

Leave a Reply