Add IPv6 addresses/ranges in named locations
we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.
I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.
As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?
This has now made it’s way to public preview.
Jeremy Reeves commented
I just found it! Thank you for the release! Long long long awaited! I look forward to testing it out.
Steffen Frederiksen commented
any update? It's 2 months since "soon" now.
Microsoft are you able to give us an ETA? Coming soon doesn't really work for our customers.
We had enable conditional access policy to block login out side of country
But we found that this policy not working for IPV6 enable users as well iPhone devices .
Kindly take an action on same for resolution
Lance Keltner commented
just ran into this this morning. client uses an iphone and the builtin mail app. sometimes it talks over ipv6 and without the "unknown" picked on my "USA only" policy, it fails. It works fine when going over ipv4, but you can't control it.
Tina O' Shea commented
This is vital to complete this function.
Otherwise its a half hearted attempt and would not pass accreditation from any government agency or other large corperation.
Ruben HErold commented
We have our network running on Ipv6 only with nat64 since years.
Now we can't implement MFA without this. Please activate it fast
Michael Burgher commented
Nuno Correia commented
Is it finished? :D
When is this finished!
Is there a release date as work started over 5 months ago?
Still nothing? This is crazy, half our countries ISPs use IPV6 now which is stopping access for people doing work!
Michael Bateman commented
Not supporting IPV6 makes CA to require modern authentication almost useless for us. We are trying to require this for some groups and when applied to outside US only I managed to kick off SEVERAL phones running IPV6. If it would at least support country of origin it would help. For a "modern" security feature it's hard to believe this was overlooked.
Mike Burgher commented
Azure AD Team, is there an ETA for when this feature will be added?
Nicholas A. Hay commented
Any updates on this such as a estimated launch quarter?
Jim Hill commented
So today we had an issue with a user on Ios 13.1.2 that we had not seen before. We are using a conditional access policy which blocks logins from outside of the USA and Bahamas (some ATT MIFI users have a Bahamas address, go figure). The named range for these countries I configured did not have the checkbox enabled for "include unknown areas." This user could not send or receive email and got a message from Exchange telling him. I saw in the logs that this CA policy blocked him, his address was an IP6. I adjusted the named region to include unknown areas and the issue went away. So IP6 addresses are not mapped to a region. The docs don't really say that. The doc states, with typing errors included, "IPv6 rangess cannot currently be included in a named location. This measn IPv6 ranges cannot be excluded from a Conditional Access policy." Refer to https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
So, how this played out today was that the Ios user could not get email until I adjusted the named location to include unknown areas, because his device was only reporting an IP6 address. This must be addressed.
Mark McC commented
I agree that there seems to be a lack of joined up thinking here. If it is using IPv6 addresses to access a login (as it clearly is) then it is barmy that CA blocks them.
We found we were having a lot of hacking attempts from particular countries so in an attempt to improve security set up CA last week to block attempts from such countries.
So now logins to Exchange via IPv6 are being blocked even though the IP6 addresses are clearly coming from a country that should not be blocked.
It's pretty easy to build CA policies to grant with MFA at all locations, even unknown. Where this issue hurts is with countries for which we simply wish to completely block all sign-in capabilities. We can't effectively do that until this is fixed. Not that there aren't ways to beat that, too, but it's at least moderately effective. Admin, do you have an ETA on this?
The idea that this had to be voted on is ridiculous. This is a huge gap in security and shouldn't require a 2 year voting campaign to get it looked at. Shame on Microsoft for ignoring security this long
I actually though that this is already implemented, because even the idea of opposite is unfathomable to me. How can you create the "secure" public image when literally every hacker which happened to use ipv6 can easily try to login using someone's credentials?