I'm looking to set up a system that alerts or reports when a user logs into Entra from a location that's different from their usual spot—like their home or our office. Ideally, I'd like to specify a home city, state, or country for each user. When exceptions occur, I want to be able to review them and classify them as either accepted or not accepted. My understanding of Entra and M365 makes me think this might not be feasible with the built-in tools. We also use CrowdStrike and are considering their Identity Protection solution, but some of the aspects seem complicated to implement and maintain, especially given that we're a small organization with a limited IT team. Any suggestions would be appreciated!
3 Answers
You could use a feature called improbable travel, but it requires Azure Active Directory Premium P2. A more practical approach is to restrict users to logging in from their primary country unless they notify you of travel plans. Trying to limit logins by state or city is tricky due to how ISPs operate, leading to many false alerts from situations like users using mobile data. We manage it by allowing logins from our primary countries, with special groups for those traveling internationally. Once set up, maintaining it is pretty straightforward.
But isn't the request more detailed? They seem to want specific geo-location alerts for each user, not just broad permissions.
Before diving deep, ask yourself what issue you're trying to address. This could turn into monitoring users constantly, which sounds exhausting. If the requirement isn't clearly defined, it might lead to endless complications.
Exactly! Sometimes it feels like justifying over-monitoring can create its own set of problems.
You might want to consider using trusted locations, log analytics, and alerts from Azure Monitor. If you're also using Azure Sentinel, that could provide similar functionalities.
This makes sense! Implementing geo-blocks and using conditional access security groups for travel could really simplify the process.