Just built a quick little script that creates named locations for conditional access based on the IP addresses provided and updated by Microsoft, through a json file.
By using this script to manage named locations, you can, through the workload identities conditional access policies currently in preview, limit where your service principals can be used from. You can say things like “These service principals can only be used from Azure region West Europe”.
Good Workaround! 