IP ranges with Azure AD Premium Conditional Access

Q. When using Azure AD Premium Conditional Access location what IP ranges are being configured?

A. When using conditional access it is possible to create policies for specific applications (such as Exchange Online, Application Gateway) to enable, require MFA or block access based on a number of criteria including user group memberships, the device state (e.g. its health in conjunction with Intune/SCCM, domain join membership), risk and location. The location is based on an IP range where you define what IP ranges are considered corporate locations.

You may wonder what IP range this refers to, for example is this the internal IP of the connecting client which will normally be from RFC1918 such as 10., 172.16, 192.168 etc which would be a problem since many companies use the same IP ranges. What the location IP address actually is is the IP address that connects to the Internet from the organization, i.e. the Internet gateway (NAT gateway) which would be unique to your organization. Often you will have multiple gateways so a range would be defined that included your organizations external facing IP ranges however single IP addresses can also be added using a /32 CIDR format.