Conditional Access & Zero TrustNamed Locations & Device Conditions

Named Locations & Device Conditions

25 mins

Understanding the Concept

Named locations define trusted or known network locations by IP ranges or countries/regions. They can be used in Conditional Access policies to vary requirements based on where users are signing in from - for example, skipping MFA when on the corporate network.

Device conditions allow policies to require managed or compliant devices. A compliant device meets the organization's security standards (encryption, antivirus, OS version) as enforced by Intune. Entra hybrid joined devices bridge on-premises management with cloud policies.

Combining location and device conditions creates powerful policies: require MFA AND a compliant device when accessing sensitive apps from outside the corporate network, while allowing seamless access from trusted locations on managed devices.

Key Points

  • IP-based named locations: Define by IP ranges (IPv4/IPv6)
  • Country-based locations: Block or allow by geographic region
  • Trusted locations: Mark network as trusted to reduce MFA friction
  • Device compliance: Require devices meet Intune compliance policies
  • Entra hybrid join: On-prem domain-joined devices registered in Entra ID

Location & Device Policy Logic

Step 1

Define Locations

Create named locations with IP ranges or countries

Step 2

Device Enrollment

Devices enrolled in Intune or hybrid joined

Step 3

Compliance Check

Intune evaluates device against compliance policy

Step 4

CA Evaluation

Policy checks location + device state for access decision

Why This Matters in Real Organizations

Named locations and device conditions enable context-aware security. Without them, organizations must apply the same security level everywhere, leading to either excessive friction for trusted scenarios or insufficient security for risky ones. Context-aware policies optimize both security and user experience.

Common Mistakes to Avoid

Defining overly broad named locations that include untrusted networks
Not keeping named location IP ranges updated when networks change
Requiring compliant devices without having Intune compliance policies configured
Confusing Entra registered, Entra joined, and hybrid joined device states

Interview Tips

  • Explain the difference between named locations and trusted locations
  • Discuss Entra device join types: registered, joined, hybrid joined
  • Give examples of combined location + device policies

Exam Tips (SC-300)

  • Know the device join types and when to use each
  • Understand how named locations integrate with Conditional Access
  • Know that device compliance requires Microsoft Intune

Course Complete!

You've finished all lessons

Previous|Next|HHome