BIO 09.04.02

Named Locations Design

πŸ“… 2025-10-30
β€’
⏱️ 5 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Named Locations definiΓ«ren vertrouwde network ranges en countries voor geo-fencing in Conditional Access beleidsregels.

Aanbeveling
IMPLEMENTEER NAMED LOCATIONS
Risico zonder
Medium
Risk Score
5/10
Implementatie
8u (tech: 4u)
Van toepassing op:
βœ“ Azure AD
βœ“ voorwaardelijke toegang

Geo-based controls: (1) vertrouwde office IPs - Skip aanvullend MFA binnen kantoor, (2) Blocked countries - Blokkeer sign-ins vanuit high-risk geolocations (Rusland, China, Noord-Korea voor EU organizations), (3) Travel scenarios - detecteer unusual locations, require step-up auth. Named Locations bieden context voor risk-based decisions.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

Define: Vertrouwde locaties (office IP ranges, VPN endpoints), Allowed countries (EU + business presence countries), Blocked countries (high-risk). gebruiken in CA: Skip MFA in Vertrouwde locaties (convenience), Blokkeer entirely van blocked countries (security).

Vereisten

  1. Azure AD Premium P1
  2. Static IP ranges voor offices/VPN
  3. Business presence countries list
  4. Risico analyse per country

Implementatie

Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Remediation) – Named Locations configuratie.

  1. Azure AD β†’ Named locations β†’ Maak aan IP-based (office ranges) + Country-based (allow/Blokkeer lists)
  2. CA policies: Vertrouwde locaties is reduced friction, Blocked countries is access denied
  3. Update Wanneer IPs change (office moves, VPN changes)

monitoring

Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Sign-ins van blocked countries (zou moeten zijn zero)
  2. Sign-ins van unusual locations (travel alerts)
  3. Named location coverage (% sign-ins van known locations)

Compliance en Auditing

  1. BIO 09.04 - Location-based Toegangscontrole en authenticatie
  2. ISO 27001 A.6.2.2 - Teleworking
  3. Data residency requirements

Remediatie

Gebruik PowerShell-script named-locations.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Named Locations Design .DESCRIPTION Implementation for Named Locations Design .NOTES Filename: named-locations.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/named-locations.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Named Locations Design" $BIOControl = "9.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "named-locations" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: Zonder Named Locations = no geographic access controls. Sign-ins from Russia/China/North Korea voor NL company unblocked. Compliance: CIS 1.30, BIO 11.02. Het risico is medium - geographic control.

Management Samenvatting

Named Locations Design: Trusted locations (office IPs, VPN ranges - MFA-exempt optional), Blocked countries (high-risk geolocations - Russia, China, North Korea), IP ranges (corporate networks), Use in CA policies (geo-fencing, risk-based blocks). Vereist: Azure AD P1. Activatie: Entra ID β†’ Named locations β†’ Define IPs/countries β†’ Assign to CA. Gratis (P1 included). Verplicht CIS 1.30, BIO 11.02. Implementatie: 4-8 uur (IP inventory + policy assignment). Enables geographic access control.