Quietly, Microsoft has published a preview edition of the country based controls for Conditional Access. While this is technically a minor addition, the potential to dam logins to Office 365 or other cloud applications in response to the location of the user has been a typical request for years. Office 365 being a public SaaS offering is by default accessible from anyplace, each time and this may be problematic for some organizations. Previously, AD FS claims rules were the only method that allowed restrictions to be configured in accordance with the IP of the user/client. With the arrival of Azure AD Conditional Access and Multi factor authentication, we’ve more robust and easier to use options.
Let’s do a brief test of the hot characteristic. To create a new country based location, all you want to do is to offer it a Name, and then select a number of of the international locations from the dropdown manage. In the example above, I have already created a vicinity that includes my country, Bulgaria, and an alternate person who includes the Netherlands, which happens to be the nation wherein my Azure VMs are hosted. In effect, I’m preparing a list of “known” or “good” locations which I can then whitelist in any CA guidelines. It’s important to note that you cannot designate any nation or group of countries as a “depended on area” without delay in the settings, as one can do for IPs/ranges. Once you’ve got described all the “good” or “bad” destinations, it’s time to put them in use in your Conditional Access guidelines.
To do so, create a new policy or edit any present one, then navigate to the Conditions tab, and under Locations, toggle the Configure slider, then select the applicable locations to come with or exclude. Adjust any additional situations as needed and judge on which controls to use. In the following example, I have created a policy that will require MFA for any login attempt, unless it’s coming from Bulgaria, where this type of attempts are distinctive by the exclusion of the “BG” named place:As possible see from the above screenshot, any Named destinations you defined will appear in the list and you can select one or more of them for each of your policies, either as blanketed or excluded location. You can needless to say still create a policy that does not rely on the network place, or a policy that applies to any “uncategorized” locations as we discussed above. After choosing the acceptable controls in your policy, it’s strongly suggested to check it via the WhatIf tool and also via some real login attempts.
Be warned that the IP to nation mappings aren’t always accurate and can in reality change through the years, so have that during mind when configuring and troubleshooting country based policies.