iCompaas Support

Description:

An exclusionary geographic Conditional Access policy allows administrators to define security policies that specifically block access from untrusted or risky geographic locations while permitting access from trusted or designated locations. This policy helps secure resources by ensuring that only users accessing from approved or safe geographical locations can sign in to applications or services.

Rationale:

Implementing exclusionary geographic Conditional Access policies helps mitigate risks associated with unauthorized access attempts originating from countries or regions that are either not trusted or are known sources of cyberattacks. By excluding specific geographies from access, organizations can significantly reduce the exposure of their resources to unwanted or unauthorized users. This approach is crucial in securing sensitive data and ensuring compliance with geographic-based regulatory requirements, such as GDPR or regional data residency laws.

Impact:

An exclusionary geographic policy improves security by limiting access to trusted locations. However, it may impact users working remotely from unsupported countries or regions. Careful attention should be paid to legitimate users who may need to access resources from excluded locations, ensuring that critical business functions are not disrupted.

Default Value:

By default, geographic Conditional Access policies are not configured in Azure Active Directory (AAD). This requires manual configuration to set up the exclusionary rules for specific geographic regions or IP addresses.

Pre-requisites:

• Azure Active Directory subscription.
  

• Global Administrator or Conditional Access Administrator permissions.
  

• MFA must be enabled for users if you plan to enforce MFA as part of the policy.
  

• The Conditional Access feature should be enabled for your organization.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Azure Active Directory > Security > Conditional Access.
   

3. Verify the Conditional Access Policies to ensure that exclusionary geographic policies are defined.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator permissions.
     

2. Navigate to Conditional Access Policies:
   

   • In the Azure portal, go to Azure Active Directory > Security > Conditional Access.
     

3. Create a New Conditional Access Policy:
   

   • Click on + New Policy to create a new Conditional Access policy.
     

   • Provide a descriptive name for the policy (e.g., "Block Access from Risky Locations").
     

4. Define Policy Scope:
   

   • Under Assignments > Users and groups, select the users or groups the policy will apply to (e.g., All Users, Administrators).
     

   • Under Cloud apps or actions, select the apps or services you want to protect (e.g., All cloud apps).
     

5. Configure Geographic Locations for Exclusion:
   

   • Under Conditions > Locations, select Yes to enable location-based conditions.
     

   • Under Configure, select Exclude and then Select locations.
     

   • In the Exclude Locations section, specify the countries or regions you want to block. You can either:
     

     • Use Country/Region: Block access from countries or regions where you don’t want users to log in.
       

     • Use IP ranges: If you want to block specific IP ranges or regions, you can configure that as well.
       

6. Define Access Controls:
   

   • Under Access controls, select Grant > Block access to ensure that users from excluded locations are denied access.
     

   • Alternatively, you can choose to enforce Multi-Factor Authentication (MFA) for users accessing from non-excluded locations.
     

7. Enable Policy:
   

   • Review the policy settings and click Enable policy to activate the exclusionary geographic access controls.
     

8. Test the Policy:
   

   • After enabling the policy, test it by trying to log in from a location that is included and excluded.
     

   • Confirm that users attempting to log in from excluded locations are blocked and that access is allowed from trusted regions.
     

9. Monitor and Adjust:
   

   • Use Azure AD Sign-in Logs to monitor the impact of the policy.
     

   • Review any failed logins from excluded locations to ensure the policy is working as intended.
     

   • Adjust the policy as needed based on real-world usage and potential false positives.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • Go to Azure Active Directory > Security > Conditional Access.
     

3. Disable or Remove the Policy:
   

   • Locate the Conditional Access policy you created for exclusionary geographic access.
     

   • You can either disable the policy or delete it entirely.
     

   • To disable, toggle the Enable policy option to No.
     

4. Test Reverted Access:
   

   • After disabling the policy, test the user access from locations that were previously blocked to ensure they can now access resources.
     

5. Review Access Logs:
   

   • Review the sign-in logs to ensure no unintended access is allowed after the policy is removed or disabled.
     

References:

• Azure AD Conditional Access - Location Condition
  
  

• Configure Conditional Access Policies in Azure AD
  

•   Azure AD Sign-in Logs