Restrict Authentication Locations

Why Location Restrictions Matter

AiTM servers won't operate from your organization’s trusted networks.
Instead, they typically use:

• Public cloud hosting providers

• Virtual private servers (VPS)

• Dynamic IP ranges

• Foreign or unexpected regions

When you enforce location-based controls, authentication requests coming from these unknown or untrusted environments are automatically blocked—even if an employee falls for a phishing attempt.

Options for Restricting Authentication Locations

Microsoft provides several ways to enforce location-based access controls.

1. Named Locations in Conditional Access

You can create named locations to designate trusted network environments.

2. Global Secure Access Policies

For organizations using Microsoft Entra’s Global Secure Access (part of Entra Internet Access and Private Access), you gain even stronger network-level controls.

These policies allow you to:

• Enforce traffic routing through secure access points

• Require traffic inspection before authentication

• Block access attempts from external or unknown network paths

This ensures that all authentication traffic originates from trusted, monitored, and controlled connections.

How This Helps Prevent AiTM

When location restrictions are in place:

• AiTM servers cannot impersonate your trusted IP ranges

• Attackers cannot simply “relay” the sign-in from their infrastructure

• Even if the user enters credentials on a phishing page, the attacker’s login attempt fails

By narrowing the environments in which authentication is allowed, you significantly reduce the attack surface and prevent unauthorized access from attacker-controlled networks.