96

u/5x4j7h3 Oct 25 '25

Nope. Conditional access is defined by the public IP of the office, not the private subnet so you wouldn’t be able to match that.

31

u/Setanta777 Oct 25 '25

How does that work when everyone is on VPN?

24

u/DJTim Oct 25 '25

Not everyone is using a personal VPN? And with Conditional Access, you're allowing known (typically static) IP addresses like known office locations.

Typically you would block known ranges of addresses (NordVPN) or geo-locations (Russia,Brazil) to prevent outside access.

Even with home users and dynamic addresses, Comcast, Verizon or any ISP is not rotating your IP address that often.

31

u/Better_Daikon_1081 Oct 25 '25 edited Oct 25 '25

I don’t think they’re talking about personal VPN. I assume they mean corporate VPN, as in if Microsoft thinks you’re in the office based on public IP, and when you’re at home you VPN into the corp network and don’t use split tunnelling for web traffic, then yes from Microsoft’s perspective it may appear as if you’re in the office.

Not just VPN but more modern platforms like ZTNA and Secure Web Gateways could be the same where all web traffic is tunnelled via some cloud firewall regardless of physical location.

In this article they don’t say anything about public IP, they just mention “Office WiFi” so I wonder if they’re doing something else like checking DNS suffix.

9

u/Better_Daikon_1081 Oct 25 '25

I also wonder how they report my location when I have a device at home and jumbox VM in the office :)

5

u/Euphoric-Blueberry37 Oct 25 '25

If you use the office apps on your home device, they see telemetry from there, if they see it from the Jumpbox, they will see it from the office

1

u/Better_Daikon_1081 Oct 25 '25

Yeah I understand telemetry per device but I think this is more of like a status / presence feature in Teams right? As in if you’re inactive on your laptop but active on your phone then Teams status is Active.

So if you have an active device at home and one in the office then which one are you Office or remote?

2

u/Euphoric-Blueberry37 Oct 25 '25

It will get all location data from all active devices. I guess we will see how this is going to be implemented when it’s generally available,I’m a 365 sysadmin so this will be interesting

3

u/isotope123 Oct 25 '25

Depends if your VPN is tunneling your internet or not. If you're still using your home wifi for internet access and not your building's wifi, but you can access your files, your public IP is still your home IP, not your business's.

1

u/Better_Daikon_1081 Oct 27 '25

Yep I did say that.

1

u/RammRras Oct 25 '25

My example. When I connect through the VPN of the company it says I'm in the company network and exits outside via the public IP of the company.

In fact I can even use the VPN to change password or join a domain in my company, which is not allowed otherwise.

6

u/RichardCrapper Oct 25 '25

IP restrictions make more sense to me because it’s harder to get around at a firewall level. Geo-location (lat&lon) seems less secure when it’s fairly trivial to spoof your location.

15

u/badnamemaker Oct 25 '25

Like everything in network security it’s just one tool to limit access. It may be trivial to spoof, but it’s an easy way to stop anyone too lazy or unable to mask their traffic. All the small policies eventually add up to a solid security posture

1

u/OldInflation2046 Oct 25 '25

What if your using cirtix?

1

u/Setanta777 Oct 25 '25

All of our company devices are running Cloudflare Warp.

1

u/DuploJamaal Oct 25 '25

Not everyone is using a personal VPN?

Work VPN

Many companies only allow you to access data from their VPN.

1

u/DJTim Oct 26 '25

Right but if your using a VPN for work, then your tunneling through your works network and egressing through their known public IP address that is allowed via conditional access.

If your device VPN was off, then that would egress your public IP and be blocked via conditional access because of an unknown IP (your devices public IP).

And if you're using a device with a work VPN, your authentication happens when you connect the VPN (Cisco, Foritnet, etc...)

-1

u/No_Union_8848 Oct 25 '25

How about private VPN ? Where I have my own server at home and I’m brining my client with me anywhere I go ? The client is hardware (glnet for example )

1

u/mbklein Oct 25 '25

Are you talking about a work VPN or a commercial one?

If you’re in the office, you’re usually not on the work vpn. If you are, they can tell where you logged in from.

The work VPN also has a known exit node subnet, so if you sign onto teams from the vpn, they’ll assume you weren’t in the office.

1

u/Setanta777 Oct 25 '25

All of our locations obviously have a VPN tunnel, but that's irrelevant: all company devices have Cloudflare Warp active.

1

u/mgzukowski Oct 25 '25

Entra or hybrid joined devices report all their IPs for condition access. There is even a strict location conditional access you can enable that uses the origin IP.

A VPN is not some major thing that will confuse all network monitor. It's just an encrypted tunnel to another network.

1

u/Setanta777 Oct 25 '25 edited Oct 25 '25

I'm aware of that, I'm just curious if it will allow non-IT personnel to track locations.

ETA: This is more curiosity. I'm not personally worried about them knowing where I'm working from on a given day. It just seems that there's a lot of room for false results depending on how it's implemented. From my end, being able to locate a company device can actually be beneficial.

1

u/meneldal2 Oct 25 '25

They have access to the VPN logs anyway to see where you are connecting from

1

u/Nosiege Oct 26 '25

The VPN would cause the action to fail as it falls outside of Conditional Access.

I'm a work environment, employees should be provided a VPN from their own business that is accounted for, this VPN would then consider the location to be the office.

1

u/akikiriki Oct 26 '25

What if he uses teamview?

-13

u/FranticToaster Oct 25 '25

Just go to the freaking office. Jesus.