I'm working on some conditional access policies that usually block all access from outside the US. When someone goes on vacation, we temporarily lift this block for the country they're visiting. While this has worked fine, I have a couple of concerns:
1. When we allow access for a specific country, it opens it up to the entire organization rather than just the vacationing employee. Alternatively, creating a special vacation group that bypasses the policy also poses the risk of allowing access from anywhere, which is not ideal.
2. Handling exceptions for multinational trips or off-grid connections, like using Starlink, adds complexity to our workflow for these policies.
I'm curious how others are managing these situations. Is there a better way to handle this than what we're currently doing?
1 Answer
One way to manage this is by creating two separate conditional access policies—one for regular users and another for travel. You can move the user from the regular policy to the travel one during their vacation, where they can still be restricted but have access to the allowed countries. Once they're back, you just switch them back. This way, you maintain control while accommodating travel needs.
I came here to say this. This is how I handled it too!
How do you know when they're traveling? I always get the "I'm in Turkmenistan and I can't connect to the VPN!" worries.