I'm in the early stages of setting up my Conditional Access (CA) policies. So far, I've enabled the basic policies to block legacy authentication and enforce phishing-resistant sign-ins for administrators. I'm also experimenting with restricting logins to only my home country, but I'm aware there are limitations to this approach.
I've designated my home country as a named location and created a policy that includes all locations while specifically excluding the named location. However, users are being blocked from logging in, as the sign-in logs indicate that the CA policy is still detecting the login location incorrectly. It seems that the exclusion I set isn't being recognized.
Am I overlooking something? I know this setup carries a risk of generating a lot of login failures and user support requests. As a potential alternative, I'm considering implementing a rule to block logins from the top 10 or 20 highest risk locations globally. Does anyone else use this strategy, and what criteria or lists do you follow? I recognize that there are loopholes, but I feel having some sort of location-based policy is essential going forward. Any insights would be greatly appreciated!
4 Answers
Conditional Access location matching has had known issues, especially with the exclusion logic. A workaround is to invert your approach: create a policy that only includes your home country and apply your allow conditions there instead of excluding all others.
As for blocking high-risk countries, many people do this, but it often leads to more hassle from false positives than actual security benefits. Just something to consider!
Before diving deeper into those CA policies, make sure you've created a Break-Glass admin account that’s excluded from all your CA policies. It's a lifesaver for accessing your system when things go wrong!
You’ve made a good start, but I recommend checking out some official documentation to ensure you're on the right track. Here are a couple of links that might help:
- https://learn.microsoft.com/en-us/encrypt-data/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation
- https://learn.microsoft.com/en-us/encrypt-data/role-based-access-control/security-emergency-access
That said, have you considered why your policy is actually being triggered the way it is? There are definitely known limitations regarding how location exclusions work.
Honestly, geoblocking isn’t super effective because it’s so easy for attackers to bypass it, mainly using VPNs or proxies. If you need to restrict logins, focus on blocking access from endpoints outside your company’s networks. If that's not an option, enhancing security with risk policies is another way to go.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures