Azure Conditional Access Policy to Allow access to Office 365 from a certain Country only

0
277
views

Azure Conditional Access Policy to Allow access to Office 365 from a certain Country only

In this post, we will go through the setup of an Azure Conditional Access policy to Allow access to Office 365 portal and apps only from allowed location.

To get started we need to navigate to the Azure Admin Portal: https://portal.azure.com

On the Portal, Click on Azure Active Directory

From the Azure AD Portal page, scroll down and select Security.

A close up of a logo
Description automatically generated

From the Security page, Click on Named Location. This section is where we will define all the Blocked Countries where the users wont be able to access Office 365 Portal and Apps from.

A picture containing bird
Description automatically generated

Click on + New Location

A screenshot of a cell phone
Description automatically generated

Provide a Name for your Location

Example: Block-All-Except-SA

Then under “Define your location using” select your country.

Example: Select All Countries and Remove South Africa

Click on “Create

A screenshot of a cell phone
Description automatically generated

You will be redirected back to the Named Location Page, here you will see the newly created Named Location.

A screenshot of a cell phone
Description automatically generated

On the next step we need to Create the Conditional Access policy to Block connection from Named Locations.

Still under Security click on Conditional Access

A screenshot of a cell phone
Description automatically generated

Click on +New policy

Provide a Name for the Policy “Create a meaningful standard for the name in the Policy”

A screenshot of a cell phone
Description automatically generated

Click on Assignment to Add or Exclude users from the Policy

Under Users and groups select “All users” then click Done.

A screenshot of a cell phone
Description automatically generated

Click Cloud apps or action, Here we will select all the cloud apps.

A picture containing table
Description automatically generated

Click on “All cloud apps” then clock “Done

A screenshot of a cell phone
Description automatically generated

Next we need to define the Condition for this Policy and here we will select the named Location we have created in earlier steps.

Click on Conditions

A picture containing table
Description automatically generated

Click on Locations

A screenshot of a cell phone
Description automatically generated

Switch the Toggle to “Yes” and click on “Selected Locations

A screenshot of a cell phone
Description automatically generated

Click on “Select” and select the defined location.

Then click select and then done.

A screenshot of a cell phone
Description automatically generated

Still on the Conditions section of the Policy, Click on “Client apps (Preview)”

A screenshot of a cell phone
Description automatically generated

Switch the Toggle to Yes and click Done. Leave all values Default.

A screenshot of a social media post
Description automatically generated

Click on Grant under Access controls

A picture containing bird
Description automatically generated

Select “Block Access” and click select.

A screenshot of a cell phone
Description automatically generated

Lastly, select “Report-only” under Enable policy. Then click “Create

A screenshot of a cell phone
Description automatically generated

Let’s test the Policy , On the Conditional Access Page. Click on “What If

What is “What If”

The What if tool allows you to understand the impact of your conditional access policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

Select a user in your organisation who falls under this Policy.

A screenshot of a cell phone
Description automatically generated

Select All Cloud Apps which is default, Specify and Ip address and Country which is in your Defined named Location.

A picture containing screenshot
Description automatically generated

Click On “What If”, to test the policy.

A close up of a logo
Description automatically generated

Your results will show as follow

A screenshot of a cell phone
Description automatically generated

Now Let’s Change the Country to South Africa and use a South Africa Ip Address and run the What If again.

As we can see from the results, the Block Policy does not take effect because the user is signing-in from South Africa.

A screenshot of a social media post
Description automatically generated

Now that we happy that the Policy only gets applied when users are connecting from Countries other than South Africa, we can head back to the Conditional Access Policy and Change it to “On”

A screenshot of a cell phone
Description automatically generated

Then Click Save

This Policy will be applied to all users in the Organisation. You can also add an exclusion if you want to exclude a Global Admin account for security.

Once the user tries to logon to Office 365 and they will receive the following message.

#ThatlazyAdmin

Sharing is caring!

Previous articleHow to allow users to Create Teams Public Live Event
Next articleSecuring Azure Active Directory from PowerShell abuse
About Me ? I Guess i would start by saying i am a family guys and full time SysAdmin and Tech Junky. This Blog is my first attempt to share information about daily issues i come across as a SysAdmin as well as some new deployments i am part of. Topics that i will cover will mostly be about Office 365,Windows,Exchange as well as Active Directory. I hope some of my Blog posts helps someone #LiveLongAndBeLazy #Exchange #Office 365 #ActiveDirectory #Hyper-V
SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here