I'm diving into setting up some Conditional Access (CA) policies and have started with the basics by blocking legacy authentication and enforcing phishing-resistant measures for admin accounts. Currently, I'm exploring a policy to restrict logins to my home country. I've set the home country as a named location and created a policy that includes all locations, excludes the named location, and blocks access. However, I'm hitting a snag where users can't log in. The sign-in logs show that the CA policy matches their location even though Entra recognizes it as being within the home country. It seems like the policy isn't respecting the exclusion I set up. Is there something obvious that I might be overlooking?
I know this setup carries a risk of generating login failures, so I was also thinking about blocking the top 10 or 20 high-risk locations worldwide as a fallback. Does anyone else implement something like this? What lists do you use for this purpose? I'd really appreciate any insights or advice!
4 Answers
Honestly, geo-blocking is almost pointless these days. Attackers often come from data centers, VPNs, or proxies, so it can easily be bypassed. If you want a more effective strategy, consider blocking logins that come from outside your company's IP ranges instead. If that's too complex, you should focus on hardening your logins with risk policies, especially if compliance is the goal.
It's pretty common to see issues with location matching in Conditional Access, especially with exclusions. Microsoft has acknowledged this as a long-standing problem without a solid fix. A workaround could be to change your approach: create a policy that specifically includes only your home country and applies the allow conditions there.
As for blocking high-risk countries, a lot of companies do this too, but honestly, it’s more for show unless you're actively seeing threats from those areas. You might find you spend more time dealing with false positives than actual security breaches.
There are indeed some resources that might help you get a better grip on CA policy setup. Check out these guides on Conditional Access policies: [Conditional Access Policy Basics](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation) and [Emergency Access for Security](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access). They explain common issues and best practices.
Before you jump into those Conditional Access policies, make sure you have a 'Break-Glass' admin account created and excluded from all your CA policies. It's super important to have a backup just in case things go sideways!
Thanks for sharing! I'm going through those guides now. I'm just curious if there’s a known reason or some bug why my exclusion isn’t working as intended?