# 14 Basic Context-Aware Access (IP/geo)

> v0.0.3 · role: Prevent · edition: Ent/Edu/Frontline Std+, EE Plus / CI Premium · [policy: #4 · #14](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Context-Aware Access evaluates an access level — a set of attribute conditions — when a user signs in or authorises an app, and continuously thereafter for Google apps (third-party SAML apps are checked at sign-in only). The basic editor gates on IP range and geographic region, so Workspace apps, and if you choose the Admin Console itself, are reachable only from your office, your VPN egress or the countries you operate from. A tighter level for the admin cohort is what makes the privileged access workstation ([№51](privileged-access-workstation.md)) and deny-by-default gating ([№47](deny-by-default-geo.md)) enforceable rather than conventional.

Documentation: [Protect your business with Context-Aware Access](https://knowledge.workspace.google.com/admin/security/protect-your-business-with-context-aware-access)

## Caveats

- Enforcing an access level on the Admin console can lock every admin out — exclude the break-glass OU (№20) and keep a second session open while you flip enforcement.
- CAA evaluates Google apps continuously after access is granted, but third-party SAML apps are checked only at sign-in, and it does not revoke an issued OAuth token — so pair it with session length (№12) and OAuth sweeps (№37).
- IP and geo are attributes, not identity — a VPN endpoint in the permitted region satisfies them. This is just a friction control.
- Requires Enterprise Standard+, Education Standard+, Frontline Standard+, Enterprise Essentials Plus or Cloud Identity Premium — on lower editions the screen is absent.

## Setup steps

1. Create a basic access level using the Basic (not Advanced/CEL) editor, gating on IP range and/or geographic region. — `Security › Access and data control › Context-Aware Access › Access levels`

   - **Access level 'corp-ip-geo'** = IP subnet in <office/VPN egress CIDRs> OR Region in <permitted countries>
   - **condition** = Meets attributes

   docs: [Create Context-Aware access levels](https://knowledge.workspace.google.com/admin/security/create-context-aware-access-levels)

2. Create a second, tighter access level for the admin cohort (used later by the privileged access workstation, [№51](privileged-access-workstation.md), and deny-by-default gating, [№47](deny-by-default-geo.md)). — `Security › Access and data control › Context-Aware Access › Access levels`

   - **Access level 'admin-only'** = IP subnet in <PAW egress> only

   docs: [Create Context-Aware access levels](https://knowledge.workspace.google.com/admin/security/create-context-aware-access-levels)

3. Assign the access level to the target apps and OU (organizational unit) in Monitor mode first, then read Reporting > Audit and investigation > Context Aware Access log events for would-be-blocked events before enforcing. — `Security › Access and data control › Context-Aware Access › Assign access levels`

   - **App** = Gmail/Drive/Admin console
   - **OU** = <target>
   - **Access level** = corp-ip-geo
   - **Mode** = Monitor, then Active

   docs: [Assign Context-Aware Access levels to apps](https://knowledge.workspace.google.com/admin/security/assign-context-aware-access-levels-to-apps)

4. Flip to enforcement only after the monitor pass is clean, and keep the break-glass account ([№20](breakglass-admin.md)) out of the enforced OU. — `Security › Access and data control › Context-Aware Access`

   Mode = Active (enforce); break-glass OU excluded

   docs: [Assign Context-Aware access levels to the Admin console](https://knowledge.workspace.google.com/admin/security/assign-context-aware-access-levels-to-the-admin-console)

## Ongoing maintenance

- **[requires a human]** On office/VPN changes: update the CIDR list before the move.

## How to verify

1. Sign in as a test user through a VPN egress outside the allowed set — the sign-in should be blocked (or logged as would-block while still in Monitor).

2. Read the CAA audit log for Access Denied events to confirm the level evaluates at all.

## Settings screens

- Security > Access and data control > Context-Aware Access > Access levels
  - console: https://admin.google.com/ac/security/context-aware/access-levels
  - screenshot: ../screenshots/admin.google.com/ac/security/context-aware/access-levels.png
- Security > Access and data control > Context-Aware Access > Assign access levels to apps
  - console: https://admin.google.com/ac/security/context-aware
  - screenshot: ../screenshots/admin.google.com/ac/security/context-aware.png
