How can I design conditional access policies for geofencing that allow single user country exceptions?

Matt

8/3/24, 3:26 PM

In AzureAD, I have a global conditional access policy (cap) that prevents users from accessing their accounts from non approved countries (I do realize this is not an accurate/reliable means of securing an environment).

When people travel we put them in an exception group so they can go to Bali or wherever.

There is a finite list of people that remote work from locations we generally ban e.g. India, Ghana etc. For those folks, they are permanently in the exception list. That list is meant to be temporary.

I could make more CAPs for these individual users but that could get out of hand if I made a block-all-but-india for example and those users would be in the exclude of the main policy. Would be messy real quick.

I want to be able to say that an individual can go to this one country but the rest of them are banned just like everyone else. Best I can tell CAP is not meant for than granularity.

Is there a CAP methodology I could use to implement what I am describing?

125

0 + 5

azure-active-directory

HBruijn

8/3/24, 3:36 PM

My first thought: Why don't you set up a VPN server for travellers and require travellers to use that when they need to access their account while abroad?

joeqwerty

8/3/24, 7:15 PM

**I do realize this is not an accurate/reliable means of securing an environment** - It's not everything you should be doing (hopefully you're requiring some kind of MFA for access to Office 365), but using Geo based CAP's to limit the locations users can access Office 365 from is certainly high on my list of things you should/must be doing.

joeqwerty

8/3/24, 7:15 PM

According to reading I've done, 17% of cyber attacks originate from the USA. That means that 83% of cyber attacks originate from outside of the USA. I've also read that 90% of all Office 365 logon attempts originate from China. You should be blocking access to Office 365 for your users from outside of the actual locations they work from, making exceptions when/where needed.

Greg Askew

8/3/24, 7:59 PM

The most interesting incursion I worked originated at a resort in the middle of Cambodia. A cafe or wifi something in Bali is favorable territory for a threat actor. There are documented occurrences of threat actor groups that target high value travelers. Even on wifi presumed private. Also some countries (China notably) the state requires mandatory access to technology infrastructure, no court needed. Meaning they basically are provided user accounts and logon and "audit" networks anywhere to ensure it conforms with security and privacy requirements.

Matt

8/4/24, 12:58 PM

We have Forticlient for VPN but most of these users do not need/use VPN. Mostly just email. Yes, we have MFA in place but that is not infallible either. So we implement everything we can. we only allow 3 countries in general and have a exception group we put people in temporarily. Some users live abroad and want access to email more regularly. I don't want to whitelist France for everyone... just maybe one person. CAP doesn't really use priorities and will favour a block before anything else.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I design conditional access policies for geofencing that allow single user country exceptions?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.