πΌ Management Samenvatting
Named Locations definiΓ«ren vertrouwde network ranges en countries voor geo-fencing in Conditional Access beleidsregels.
β voorwaardelijke toegang
Geo-based controls: (1) vertrouwde office IPs - Skip aanvullend MFA binnen kantoor, (2) Blocked countries - Blokkeer sign-ins vanuit high-risk geolocations (Rusland, China, Noord-Korea voor EU organizations), (3) Travel scenarios - detecteer unusual locations, require step-up auth. Named Locations bieden context voor risk-based decisions.
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.Identity.SignIns
Implementatie
Define: Vertrouwde locaties (office IP ranges, VPN endpoints), Allowed countries (EU + business presence countries), Blocked countries (high-risk). gebruiken in CA: Skip MFA in Vertrouwde locaties (convenience), Blokkeer entirely van blocked countries (security).
- Azure AD β Named locations β Maak aan IP-based (office ranges) + Country-based (allow/Blokkeer lists)
- CA policies: Vertrouwde locaties is reduced friction, Blocked countries is access denied
- Update Wanneer IPs change (office moves, VPN changes)
Vereisten
- Azure AD Premium P1
- Static IP ranges voor offices/VPN
- Business presence countries list
- Risico analyse per country
Implementatie
Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Remediation) β Named Locations configuratie.
- Azure AD β Named locations β Maak aan IP-based (office ranges) + Country-based (allow/Blokkeer lists)
- CA policies: Vertrouwde locaties is reduced friction, Blocked countries is access denied
- Update Wanneer IPs change (office moves, VPN changes)
monitoring
Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Monitoring) β Controleren.
- Sign-ins van blocked countries (zou moeten zijn zero)
- Sign-ins van unusual locations (travel alerts)
- Named location coverage (% sign-ins van known locations)
Compliance en Auditing
- BIO 09.04 - Location-based Toegangscontrole en authenticatie
- ISO 27001 A.6.2.2 - Teleworking
- Data residency requirements
Remediatie
Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 09.04.02 - Location-aware Toegangscontrole en authenticatie
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
Risico zonder implementatie
Management Samenvatting
Named Locations Design: Trusted locations (office IPs, VPN ranges - MFA-exempt optional), Blocked countries (high-risk geolocations - Russia, China, North Korea), IP ranges (corporate networks), Use in CA policies (geo-fencing, risk-based blocks). Vereist: Azure AD P1. Activatie: Entra ID β Named locations β Define IPs/countries β Assign to CA. Gratis (P1 included). Verplicht CIS 1.30, BIO 11.02. Implementatie: 4-8 uur (IP inventory + policy assignment). Enables geographic access control.
- Implementatietijd: 8 uur
- FTE required: 0.05 FTE