Description:

An exclusionary geographic access policy restricts user sign-ins from countries or regions where the organization does not operate. Implementing such a policy reduces the risk of unauthorized access from high-risk locations, supports regulatory compliance, and strengthens the organization’s overall security posture.


Rationale:

Blocking access from selected geographic locations reduces the risk of account compromise by preventing sign-in attempts from high-risk regions, strengthens identity security, limits exposure to cyber threats, and supports enforcement of location-based access controls for sensitive resources.


Impact:

Users attempting to sign in from blocked geographic locations will be denied access. Legitimate users traveling or working remotely may require a VPN or approved alternate access. While this may introduce limited user inconvenience, it significantly reduces the risk of unauthorized access from high-risk regions.


Pre-requisites:

  • Global Administrator or Security Administrator access to Microsoft Entra ID

  • Defined list of blocked countries or regions

Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

  4. Under the Protect, Open Conditional Access

  5. Select Policies

  6. Review existing policies

  7. Verify a Conditional Access policy exists with Locations configured to block selected countries or regions

  8. If an exclusionary geographic access policy is not present, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

                                   

  1. Under the protect, Open Conditional Access and Select Policies

                              

  1. Select Create new policy, Configure policy conditions to block selected countries or regions

                

  1. Configure access controls to block access and enable the policy

  2. Create and save the policy

Backup:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

  4. Open Conditional Access

  5. Select Policies

  6. Select the exclusionary geographic access policy

  7. Disable the policy or delete the policy

  8. Save the changes


Reference: