O365 Admin

How to Configure Named Locations in Entra ID

Published 26 January 2026 · 6 min read

Named Locations in Entra ID let you define trusted IP ranges and countries that Conditional Access policies can use to require more or less authentication. Configuring named locations is a core part of any zero trust setup.

Contents

IP vs country locations
Create an IP-based named location
Create a country-based location
Use in Conditional Access

IP vs country locations

IP ranges - define trusted networks by CIDR ranges. Typically office static IPs and VPN egress IPs.
Countries - define locations by country. Useful for blocking sign-ins from countries you do not operate in.

Create an IP-based named location

Entra ID → Security → Conditional Access → Named locations → + IP ranges location

⚙️

IP named location settings

Name

Contoso HQ Office

IP rangesYour office egress IP - check with whatismyip.com from office network

203.0.113.0/24

Mark as trusted locationTrusted locations can bypass MFA in CA policies

Yes

⚠️

Get your actual egress IP

Your office IP is the public IP your traffic exits from - not your internal LAN IP. Visit whatismyip.com from the office network to find it.

Create a country-based location

Entra ID → Security → Conditional Access → Named locations → + Countries location

⚙️

Countries location settings

Name

Allowed Countries - UK and Europe

Countries

Select countries your staff work from

Include unknown countriesBlock sign-ins from IPs that cannot be mapped to a country

Use in Conditional Access

Named locations appear in CA policy conditions under Locations. Common patterns:

Require MFA outside trusted IPs - All apps, All users, Location = Not trusted locations, Grant = Require MFA
Block sign-ins from specific countries - All apps, All users, Location = selected country location, Block access

Frequently Asked Questions

Q: What is a named location in Entra ID?

A named location is a defined set of IP addresses or countries that Conditional Access policies can reference in their conditions.

Q: Can I use named locations to block a country?

Yes. Create a Countries named location with the countries you want to block, then create a CA policy targeting that location with Block access as the grant control.

Q: Do named locations work with legacy authentication?

Named locations apply to all authentication flows through Entra ID. However, blocking legacy authentication entirely via a separate CA policy is recommended regardless.

Related Guides

-> Conditional Access -> Block Legacy Auth -> Why MFA Matters

// need intune set up properly?

Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages

How to Configure Named Locations in Entra ID

IP vs country locations

Create an IP-based named location

Create a country-based location

Use in Conditional Access

Frequently Asked Questions

Get M365 tips in your inbox