Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As an IT admin, you can control access to SharePoint and OneDrive resources in Microsoft 365 based on defined network locations that you trust. This is also known as a location-based policy.
To do this, you define a trusted network boundary by specifying one or more authorized IP address ranges. Any user who attempts to access SharePoint and OneDrive from outside this network boundary (using a web browser, desktop app, or mobile app on any device) is blocked.
What should I consider before setting a location-based policy?
Here are some important considerations for setting a location-based policy:
External sharing: If you share files and folders with guests who authenticate, they can't access the resources outside of the defined IP address range.
Access from first and third-party apps: Normally, you can access a SharePoint document from apps like Exchange, Viva Engage, Skype, Teams, Planner, Power Automate, PowerBI, Power Apps, OneNote, and so on. When you enable a location-based policy, apps that don't support location-based policies are blocked. The only apps that currently support location-based policies are Teams, Viva Engage, and Exchange. This means that all other apps are blocked, even when these apps are hosted within the trusted network boundary. This is because SharePoint can't determine whether a user of these apps is within the trusted boundary.
Note
We recommend that when you enable a location-based policy for SharePoint, you configure the same policy and IP address ranges for Exchange and Viva Engage. SharePoint relies on these services to enforce that the users of these apps are within the trusted IP range. For protecting access to SharePoint via the Office.com portal, we recommend using the Microsoft Entra Conditional Access policy for "Office 365" and configuring the trusted IP range there.
Access from dynamic IP ranges: Several services and providers host apps which have dynamic originating IP addresses. For example, a service that accesses SharePoint while running from one Azure data center might start running from a different data center due to a failover condition or other reason, thus dynamically changing its IP address. The location-based conditional access policy relies on fixed, trusted IP address ranges. If you can't determine the IP address range up front, location-based policy might not be an option for your environment.
How do I set a location-based policy in the SharePoint admin center?
Note
It can take up to 15 minutes for these settings to take effect.
- Go to Access control in the new SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Note
If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Access control page.
Select Network location, and turn on Allow access only from specific IP address ranges.
Enter IP addresses and address ranges separated by commas.
Important
Make sure you include your own IP address so you don't lock yourself out. This setting not only restricts access to OneDrive and SharePoint sites, but also to the OneDrive and SharePoint admin centers, and to running PowerShell cmdlets. If you lock yourself out and can't connect from an IP address within a range you specified, you will need to contact Support for help.
If you save overlapping IP addresses, your users will see a generic error message with a correlation ID that points to "The input IP allow list has overlaps."
Note
To set a location-based policy by using PowerShell, run Set-SPOTenant with the -IPAddressAllowList parameter. For more info, see Set-SPOTenant.