Category filter

Conditional Access based on location for Office 365

Among the significant benefits of Office 365 is its flexibility, enabling enterprises to provide their employees with access to emails, documents, contacts and calendars anytime and anywhere on any device. However, from a data loss prevention view, ‘anytime and anywhere access’ poses serious security concerns.

Using Microsoft’s Conditional Access, administrators can decide what Office 365 services users can access based on whether they meet certain conditions.

This document provides a step-by-step guide to ensure only the devices enrolled with Hexnode UEM can access Office 365 resources by creating a location-based Conditional Access policy.


  • You need Microsoft Entra ID P1 licenses or Microsoft Entra ID P2 licenses to have access to Conditional Access features.
  • VPN configuration for Android and iOS devices is supported only on Pro, Enterprise, Ultimate, and Ultra pricing plans. In the case of Windows and macOS devices, it is supported only on Ultimate and Ultra pricing plans.

Step 1: Configure Conditional Access in Microsoft Entra ID

Define location

To set up a location-based conditional access policy in the Microsoft Entra ID portal, you must first define a set of locations from which the devices will be able to access Office 365.

To define the locations:

  1. Sign in to your Microsoft Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Navigate to Microsoft Entra ID > Security > Conditional Access > Named locations.
  3. Click on IP ranges location and give your location a name.
  4. Click on the + button and provide the IP range for the location based on your requirements. To add more than one IP, click on the + button again.
  5. Finally, click Create.

Create a Conditional Access policy

After defining all the required IP ranges, create a conditional access policy by following the steps below:

  1. Navigate to Microsoft Entra ID > Security > Conditional Access.
  2. Click on New policy and provide a suitable name.
  3. Under Users or workload identities, select the users for which the conditional access policy should be applied to.
  4. Under Cloud apps or actions, select Office365.
  5. Next, go to Conditions > Locations and set Configure to Yes. Then, select the locations (either as included or excluded based on your requirement) which you defined earlier under Named Locations.
  6. Under Access controls > Grant, select the action to be taken based on the conditions you have set.
  7. Finally, select On under Enable policy and click Create.

Step 2: Configure and deploy VPN policies via Hexnode

After creating a Conditional Access policy in Microsoft Entra ID, the next step is configuring and deploying a VPN policy to your managed devices via the Hexnode portal.


  • If you’re using a cloud VPN service provider, ensure that dedicated static IP addresses are assigned for your VPN clients so that only those users in the trusted IP range can connect to company resources.

Configure VPN settings

To configure VPN settings for your devices securely using a policy,

  1. Login to your Hexnode UEM portal.
  2. Navigate to Policies.
  3. Select an existing policy or create a new one by clicking on New Policy. Assign a suitable name and description (optional) for the policy.
  4. Select the OS from Android, iOS, Windows and macOS.
  5. Go to Network > VPN. Click on Configure.
  6. Refer to the detailed documentation of Android, iOS, Windows and macOS to learn more about setting up VPN configurations on your devices via the Hexnode UEM console.

Associate policies with devices

If the policy has not been saved,

  1. Navigate to Policy Targets.
  2. Click on +Add Devices.
  3. Select the devices and click OK.
  4. Click on Save to apply the policies to devices.

If you have the policy saved already,

  1. From the Policies tab, choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.

What happens on the device end?

Once the VPN policies are configured and associated with the devices enrolled in Hexnode, the users will not be able to access Office 365 on unmanaged devices that are not enrolled in Hexnode.

Office 365 Conditional Access restriction popup

  • Configurations
  • Hexnode Integrations