Access policy examples

The following are examples of access policies based on groups or IP addresses.

Simple group policy

This policy approves access to applications if the user is a member of both the managers and hr-managers groups. All other users must perform MFA.
Table 1. Simple group policy example
Type Operation Condition Action
Group membership is one of managers, hr-managers Allow
Default     MFA always

Simple IP policy

This policy approves access to applications if the user’s IP address is within the corporate network. If the user is not coming from a block-listed suspicious IP address range, they need to perform MFA. All other users (that is, from suspicious IP addresses) are blocked.
Table 2. Simple IP policy example
Type Operation Condition Action
Network location (IP) is one of 1.0.0.0/8 Allow
Network location (IP) is none of 1.2.3.4 - 1.2.3.255 MFA always
Default     Block

Advanced geo-location and group policy

This policy prompts all users for MFA on first access or when the user’s location is changed.

After the user verified the location, the second rule approves access to applications if the user is a member of both managers and hr-managers group.
Note: If managers change their location, they must perform another MFA.

All other users are denied access to the app.

Table 3. Advanced geo-location and group policy example
Type Operation Condition Action
Geo location not verified   MFA always
Group membership contains each of managers, hr-managers Allow
Default     Block