Skip to content

Update named location

Azure

Update named location

service: Azure - Conditional Access, Named Locations
techniques:

Event

Updates a named location definition (IP ranges or countries) used in Entra ID Conditional Access policy conditions.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. draco@fantasticlogs.cloud modifies the trusted named location Corporate-Office-Egress (used by CA policies as a trusted-network condition) to add his external adversary IP 203.0.113.66/32 and mark the location as isTrusted = true. Future authentications from Draco’s IP will satisfy “trusted location” CA bypass conditions.

{
"id": "Directory_90000000-0000-4000-8000-000100011111_2B4D8_82148710",
"category": "Policy",
"correlationId": "90000000-0000-4000-8000-000100011111",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update named location",
"activityDateTime": "2026-04-15T18:18:23.7218042Z",
"loggedByService": "Conditional Access",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "60000000-0000-4000-8000-000011101101",
"displayName": "Corporate-Office-Egress",
"type": "Other",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "ipRanges",
"oldValue": "[{\"@odata.type\":\"#microsoft.graph.iPv4CidrRange\",\"cidrAddress\":\"198.51.100.0/24\"}]",
"newValue": "[{\"@odata.type\":\"#microsoft.graph.iPv4CidrRange\",\"cidrAddress\":\"198.51.100.0/24\"},{\"@odata.type\":\"#microsoft.graph.iPv4CidrRange\",\"cidrAddress\":\"203.0.113.66/32\"}]"
},
{
"displayName": "isTrusted",
"oldValue": "[false]",
"newValue": "[true]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"ipRanges\""
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
}
]
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
  • T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...