The following PowerShell script allows you to add multiple Azure AD Named location IP address ranges using Microsoft Graph API PowerShell Module.

You need to download the Microsoft Graph PowerShell SDK.

You can read more about Microsoft Graph SDK and how to use it in a previous post Understanding Microsoft Graph SDK PowerShell

The Script connects to Microsoft Azure using the Policy.Read.All, and Policy.ReadWrite.ConditionalAccess

You can find the required scope by running

C:\> (Find-MgGraphCommand -Command New-MgIdentityConditionalAccessNamedLocation)[0].Permissions.name

Policy.Read.All
Policy.ReadWrite.ConditionalAccess

The script creates a Hashtable that contain the following parameters

  • OData.Type: Is the type of a JSON object or name/value pair
  • DisplayName: The name of the Azure AD Named Location
  • IsTrusted : Set this location as trusted or not.
  • IPRanges: The IPRanges is a PowerShell array of hashtables holding “CidrAddresses” as a Key and the IP address as a value

Add a Single Location with Multiple IP addresses.

Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes ('Policy.Read.All', 'Policy.ReadWrite.ConditionalAccess')
$Location=@('1.1.1.1/24','2.2.2.2/24','3.3.3.3/24')


$params = @{
	"@odata.type" = "#microsoft.graph.ipNamedLocation"
	DisplayName = "New Test Location"
	IsTrusted = $false
    IpRanges=@()
}

Foreach ($S in $Location){
$IpRanges=@{}
$IpRanges.add("@odata.type" , "#microsoft.graph.iPv4CidrRange")
$IpRanges.add("CidrAddress" , $S)
$params.IpRanges+=$IpRanges

}
	
New-MgIdentityConditionalAccessNamedLocation -BodyParameter $params

You can replace the $Location with your CSV content by using Import-CSV

Add Multiple Azure AD named locations with Multiple IP Addresses from CSV

You can use the following script to import DisplayName, IPRange, and set if the IPRange is Trusted or not from a CSV file.

The CSV file format should be as the following.

DisplayName,IPRange,MarkAsTrusted
Location2,4.4.4.4/24,1
Location1,1.1.1.1/24-2.2.2.2/24-3.3.3.3/24,0

DispalyName: String and is the name of the Location

IPRange: This can be a single or multiple IP Range separated by a dash – 1.1.1.1/24-2.2.2.2/24-3.3.3.3/24

MarkAsTrusted: hold 0 or 1, 0= not trusted, 1=Trusted location

Feel free and download the script and the CSV from my Github

Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes ('Policy.Read.All', 'Policy.ReadWrite.ConditionalAccess') -ForceRefresh
$CSV=Import-Csv D:\TrustedLocation.csv


foreach ($singleLocation in $csv){
$params = @{
	"@odata.type" = "#microsoft.graph.ipNamedLocation"
	DisplayName = $singleLocation.DisplayName
}
	switch ($singleLocation.MarkAsTrusted) {
		0 { $params.Add("IsTrusted",$false) }
		1 { $params.Add("IsTrusted",$true) }
	}
$params.Add("IpRanges",@())


Foreach ($S in ($singleLocation.IPRange).Split("-")){
$IpRanges=@{}
$IpRanges.add("@odata.type" , "#microsoft.graph.iPv4CidrRange")
$IpRanges.add("CidrAddress" , $S)
$params.IpRanges+=$IpRanges

}
New-MgIdentityConditionalAccessNamedLocation -BodyParameter $params
}

Let me know if you have a question.

To verify and get a list of all named locations, use the following cmdlet.

Get-MgIdentityConditionalAccessNamedLocation

5/5 - (3 votes)