top of page
  • Writer's pictureJames Agombar

Azure Conditional Access Policies - Prevent logging on from specific countries

Disclaimer: CA Policies can cause significant impact to business if configured incorrectly, so please ensure you takes measures to prevent such events.

Azure Conditional Access policies are becoming ever more useful and granular in their capabilities to help you protect your environment against malicious login attempts, enforcing MFA, allowing access to specific applications and much much more.

In this article I'll talk you through a very basic but effective policy to block access to Azure from countries where we know employees won't be logging on from. This is a great way to reduce potential attack vectors from foreign parties without a great deal of effort.

Note: This won't protect against threat actors using UK VPN's ;)

1. Log on to you, go to All Services and search for Conditional Access, then click on it.

2. Within Conditional Access, click on "Named Locations" in the left hand menu and then click "Countries Location".

3. Type in a suitable name for the new policy and the select all the countries you'd like to block.

5. Ensure you have all the counties that do require access unticked, then click Create.

6. Under Named Locations, you will now see your new policy listed.

7. To create the new CA policy, click "Policies" in the menu, then "New". Type in a suitable name for the policy, then under Assignments, select Users.

Under "Include" select the appropriate option. In this example I've chosen All Users.

8. If you company has security defaults enabled, you will be prompted to disable it and select "My organisation is Using Conditional Access".

9. Now under "Exclude" choose a suitable Global Admin account as a break glass option should you somehow manage to lock access out (obviously this is up to you!).

10. Under Cloud apps or actions select "All Cloud Apps"

11 Under Conditions select the Blocked Locations policy we created earlier and then click Select.

12. Under Access Controls select "Block Access" and then press Select.

13. Now at this stage I'd recommend leaving the policy in Report-only mode just for peace of mind and to monitor events. You can also add additional settings such as risk scoring if that's of interest.

Once you're happy, click Create and you're good to go.

Let me know if this is of help or if you have any other suggestions that would improve the configuration!

99 views2 comments

Related Posts

See All


Tig Campbell-Moore
Tig Campbell-Moore

As you can create a free cloud VM and put a VPN on it, you are fighting a lost battle. That is, unless you want to hunt down and blacklist every VPN and cloud host. It also doesn't protect against geo aware C&C bot networks.

IP based origin assurance died a very long time ago.

James Agombar
James Agombar

Totally agree it’s not a one solution fixes all problems, but hopefully can assist within a layered approach which I’ll touch on in further posts.

bottom of page