Hi @JustinMicheal-7973 • Thank you for reaching out.
If I understood your requirement correctly, you want to allow a specific set of users to be able to access Azure Portal only from a particular IP Address. Correct me if I am wrong.
If my understanding is correct, you don't need to create 2 Policies for this purpose. You can configure the policy settings as mentioned below:
- Create a Named Location under Azure Active Directory > Security > Conditional Access > Named locations, e.g.
Location1
. For specific IP Address (not a subnet) use /32 CIDR. - Create a conditional access policy with below conditions:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Add Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location and ExcludeLocation1
(created in step1)
d) Under Access Control section > Grant > Block Access
e) Enable Policy > On > Create.
This policy will restrict given set of users from accessing Azure Portal from anywhere except Location1
which represents the IP address to be allowed.
When you create 2 policies, where Policy1 allows access and Policy 2 blocks access, both policies will be evaluated and the most restrictive one takes precedence. Which means access will be blocked in that case.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.