I've recently changed jobs and I'm revising my company's approach to conditional access (CA). Currently, the setup allows users to access company resources from their home countries, but it restricts access from other locations. We do have a list of acceptable countries for working abroad, and users can be added to a group that grants access from these locations when needed. However, tracking whether someone is actually working in an approved country is really difficult.
I'm considering creating multiple groups for each home country, like CA_Belgium for Belgium and CA_Mexico for Mexico, to limit access based on user location more effectively. My higher-ups aren't too keen on this idea, arguing it may create too much complexity with so many CA policies, as employees could travel to virtually any country.
The management suggested using Power Automate, which could automatically add users to the appropriate group when they request permission to work abroad. If a user's sign-in is detected from a different location than they initially reported, it would flag the account and drop their access outside their home country.
What do you think is the best approach? Has anyone else implemented a similar system?
1 Answer
It sounds like a solid idea to set up Conditional Access (CA) using Privileged Identity Management (PIM). We use this for vacation tracking by blocking access to countries except for Canada and the US, then excluding the out-of-country group. Basically, users get added to the out-of-country group temporarily based on their request forms, and they are automatically removed after a set time.
Could you explain a bit more about how that works? So, you have a rule for Canada/US that includes all members while excluding the out-of-country group? And when someone plans a trip to Mexico, you just activate a PIM that allows them access for those two weeks?