Within an era that places high importance on data security and user identity protection, Microsoft continues to evolve its suite of tools and features to meet the growing demands of organizations worldwide. One such essential tool in Microsoft's arsenal is Conditional Access (CA) policies within Microsoft Entra, a dynamic solution that helps organizations safeguard their digital assets more effectively. In this blog post, we'll delve deep into CA policies that block access from countries/regions where your organization knows traffic shouldn't originate.
Note: Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. This condition is commonly used to block access from countries or regions where your organization knows traffic shouldn't originate. In other words, it helps ensure that your organization's data is only accessed from trusted locations, significantly improving your security and compliance. Let's delve deeper into why applying this policy is relevant.
The Relevance of Applying Location-Based Access Policies:
Compliance: Many organizations are subject to regulatory requirements that mandate data access from specific geographical regions or prevent access from certain locations. By implementing location-based access policies, you can ensure compliance with these regulations.
Security: In the age of cyber threats and data breaches, it's crucial to adopt a proactive approach to security. Unauthorized access to your organization's data can have severe consequences. By blocking access from regions where threats are more likely to originate, you can significantly reduce the risk of security breaches. This policy acts as an additional layer of security, helping to safeguard your sensitive information.
Protecting Against Identity Theft: In a world where identity theft is becoming increasingly prevalent, restricting access to your cloud apps based on location can help thwart unauthorized users. If a user's account is compromised, it becomes significantly more challenging for a threat actor to access your organization's data from a different location.
Implementing the Conditional Access Policy: Block Access by Location
Now that we've established the importance of this policy, let's take a closer look at how to implement it.
First step: Define locations
1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Named locations.
3. Click + Countries location
4. Give your location a name.
5. Select Determine location by IP address
Some IP addresses don't map to a specific country or region. To capture these IP locations, check the box Include unknown countries/regions when defining a geographic location. This option allows you to choose if these IP addresses should be included in the named location. Use this setting when the policy using the named location should apply to unknown locations.
6. Tick all countries excepted those you want to allow.
6. Select Create
Second step: Create a Conditional Access policy
1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.
a. Under Include, select All users.
b. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
6. Under Target resources > Cloud apps > Include, select All cloud apps.
7. Under Conditions > Location.
a. Set Configure to Yes
b. Under Include, select Selected locations
c. Select the blocked location you created for your organization.
d. Click Select.
8. Under Access controls > select Block Access, and click Select.
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to create to enable your policy.
After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
The "Block Access by Location" policy is a valuable tool in your security arsenal, helping you control access to your cloud apps and safeguard your organization's data from threats originating in unauthorized locations. Implementing this policy is not just a security measure; it's a commitment to the integrity and compliance of your organization's digital assets.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.