Listen to this Post
Introduction
Trusted Locations in Microsoft Entra (formerly Azure AD) play a crucial role in securing identity and access management. By defining trusted IP ranges, organizations can reduce false positives in risk detection, streamline Conditional Access policies, and enable Continuous Access Evaluation (CAE). This article explores key configurations, commands, and best practices for implementing Trusted Locations effectively.
Learning Objectives
- Understand the role of Trusted Locations in Microsoft Entra security.
- Learn how to configure Trusted Locations via PowerShell and the Entra portal.
- Explore advanced use cases, including risk detection accuracy and Conditional Access policies.
1. Configuring Trusted Locations in Microsoft Entra
PowerShell Command
New-AzureADMSNamedLocationPolicy -OdataType "microsoft.graph.ipNamedLocation" -DisplayName "Corporate HQ IP Range" -IsTrusted $true -IpRanges "192.168.1.0/24"
Step-by-Step Guide
- Prerequisites: Ensure you have the `AzureAD` or `Microsoft.Graph.Identity.SignIns` PowerShell module installed.
- Run the Command: Replace `192.168.1.0/24` with your organization’s trusted IP range.
- Verify: Check the Entra portal under Security > Conditional Access > Named Locations to confirm the policy is active.
Why This Matters: Trusted Locations reduce unnecessary MFA prompts for secure IPs while maintaining security.
2. Leveraging Trusted Locations for Conditional Access
Entra Portal Configuration
- Navigate to Microsoft Entra Admin Center > Security > Conditional Access.
- Create a new policy and under Conditions > Locations, select Include > Trusted Locations.
Example Policy Logic
{
"conditions": {
"locations": {
"includeLocations": ["Trusted"]
}
}
}
Impact: Users logging in from trusted IPs bypass MFA, while others face stricter controls.
3. Improving Entra ID Protection Accuracy
PowerShell Query for Risk Detection
Get-AzureADIdentityRiskEvent -Filter "riskLevel eq 'high'" | Where-Object { $_.Location -notin (Get-AzureADMSNamedLocationPolicy).IpRanges }
Steps
- Use this command to identify high-risk logins outside trusted IPs.
- Tune risk policies to focus on untrusted locations.
Result: Fewer false positives and a smoother user experience.
4. Enabling Continuous Access Evaluation (CAE)
Prerequisite
Trusted Locations must be defined for CAE to function.
Verification Command
Get-AzureADPolicy | Where-Object { $_.Type -eq "ContinuousAccessEvaluationPolicy" }
Key Point: CAE enforces real-time session revocation for risky logins but requires trusted IPs for optimal performance.
5. Auditing and Monitoring Trusted Locations
Log Analytics Query
SigninLogs | where LocationDetails contains "Trusted" | summarize Count = count() by UserPrincipalName, IPAddress
Use Case: Track trusted location logins for anomalies or policy violations.
What Undercode Say
- Key Takeaway 1: Trusted Locations are not just for exclusions—they enhance risk detection and user experience.
- Key Takeaway 2: Without Trusted Locations, organizations miss out on CAE and accurate Entra ID Protection.
Analysis: Misconfiguring Trusted Locations often leads to overuse in exclusions, weakening security. Instead, organizations should integrate them with Conditional Access and risk-based policies. As hybrid work grows, dynamic IP ranges and zero-trust adaptations will become critical.
Prediction
Future identity security will rely heavily on AI-driven location trust scoring, reducing reliance on static IPs. Microsoft Entra will likely integrate geofencing and behavioral analytics to refine Trusted Locations further. Organizations that adopt these advancements early will see fewer breaches and lower operational friction.
IT/Security Reporter URL:
Reported By: Nathanmcnulty Entra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
