Verified steps

Acquire a token with the Policy.ReadWrite.ConditionalAccess and Policy.Read.All application permissions (or the equivalent delegated permissions with a Conditional Access Administrator role).
Create or retrieve named locations: POST to /v1.0/identity/conditionalAccess/namedLocations with a body specifying @odata.type as either #microsoft.graph.ipNamedLocation (for IP ranges) or #microsoft.graph.countryNamedLocation, along with the displayName and the IP ranges or countries array.
Create a Conditional Access policy by POSTing to /v1.0/identity/conditionalAccess/policies with a ConditionalAccessPolicy body specifying displayName, state (enabled, disabled, or enabledForReportingButNotEnforced), conditions (users, applications, locations, platforms), and grantControls or sessionControls.
Reference named locations in the policy's conditions.locations.includeLocations or excludeLocations arrays using the named location object ID returned in the creation response.
Update an existing policy by PATCHing /v1.0/identity/conditionalAccess/policies/{policyId} with only the fields you want to change; set state to enabledForReportingButNotEnforced to test a policy in report-only mode before enforcement.
Audit policy changes by querying the Entra ID audit log via /v1.0/auditLogs/directoryAudits filtered by loggedByService eq 'Conditional Access' to track all modifications.

Known gotchas

Setting a policy to enabled without first testing in report-only mode can immediately lock out users including admins; always have a break-glass account excluded from Conditional Access policies before enforcement.
Named location IDs are UUIDs assigned at creation time; if you manage infrastructure as code, store IDs after creation and reference them by ID rather than display name, as display names are not unique.
The Graph API enforces that at least one user or group is included in conditions.users.includeUsers or includeGroups; a policy with no user targeting will return a 400 error on creation.

learn.microsoft.com/graph · 6 steps · unrated

Map hotel property IDs across systems using GIATA multi-codes

hotel-content · 6 steps · unrated

Understand NDC vs GDS content differences as a travel API integrator

travel-general · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Manage Entra ID Conditional Access policies and named locations via Graph API

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes