Restrict Microsoft 365 Access to Intune-Managed Devices from Unknown IPs

By /
How to Restrict Microsoft 365 Access to Intune-Managed Devices from Unknown IPs

Securing access to Microsoft 365 is a top priority for IT admins. Many organizations want to make sure that only Intune-managed (compliant) devices can connect to M365 when users are signing in from unknown or untrusted IP addresses. This helps prevent unauthorized access from personal or unmanaged devices, while still allowing flexibility for corporate networks.

In this guide, we’ll walk through how to set up a Conditional Access (CA) policy in Microsoft Entra that enforces this requirement.

Why This Matters

  • Unmanaged devices = higher risk. Users logging in from personal laptops or unprotected devices can expose sensitive company data.
  • Unknown IPs are unpredictable. A login attempt from outside corporate or known locations could be risky.
  • Conditional Access bridges the gap. By combining trusted IPs and compliance enforcement, you can allow secure access only when conditions are met.

Step 1: Define Trusted Locations

First, configure your corporate/public IP ranges so Microsoft Entra knows which connections to trust.

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Protection > Conditional Access > Named locations.
  3. Add your corporate/public IP ranges as a trusted location.
    • Example: Your office’s public IP address range.

This ensures your policy applies only when users are outside these trusted ranges.

Step 2: Create the Conditional Access Policy

  1. Go to Conditional Access > New Policy.
  2. Give the policy a clear name, like:
    M365 – Restrict Access from Unknown IPs.

Assignments

  • Users or groups: Select “All users” or a specific pilot group.
  • Cloud apps: Select Office 365 (or specific Microsoft 365 apps).

Conditions

  • Locations:
    • Select Any location.
    • Exclude your trusted IP ranges.
    • Result: The policy only applies to users signing in from unknown IPs.

Access Controls

  • Require Compliant device.
    • This means the device must be Intune-enrolled and meeting compliance policies.
  • (Optional) Also require Hybrid Azure AD join if you want to limit to corporate-owned machines.

Enable the Policy

  • Switch Enable policy to On.

Step 3: Test Before Enforcing

Always test before a full rollout.

  • From trusted IP (office network) → Access should work without restrictions.
  • From unknown IP with Intune-managed device → Access should work.
  • From unknown IP with unmanaged device → Access should be blocked.

Tip: Use Report-only mode first to preview the impact without blocking users.

Best Practices

  • Combine with Intune compliance policies. Require encryption, antivirus, OS version, and more to define what a “compliant” device means.
  • Add MFA for extra security. Consider requiring MFA in addition to compliance for unknown IPs.
  • Roll out in phases. Start with a pilot group, then expand.

Final Thoughts

With this Conditional Access setup, you create a strong safeguard:

  • Users on trusted IPs can connect without issues.
  • Users on unknown IPs must be on a compliant, Intune-managed device.
  • Anyone trying from an unmanaged device will be blocked.

This strikes the right balance between security and productivity in Microsoft 365.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top