Azure Conditional Access Policy to Allow access to Office 365 from a certain Country only
In this post, we will go through the setup of an Azure Conditional Access policy to Allow access to Office 365 portal and apps only from allowed location.
To get started we need to navigate to the Azure Admin Portal: https://portal.azure.com
On the Portal, Click on Azure Active Directory
From the Azure AD Portal page, scroll down and select Security.
From the Security page, Click on Named Location. This section is where we will define all the Blocked Countries where the users wont be able to access Office 365 Portal and Apps from.
Click on + New Location
Provide a Name for your Location
Then under “Define your location using” select your country.
Example: Select All Countries and Remove South Africa
Click on “Create”
You will be redirected back to the Named Location Page, here you will see the newly created Named Location.
On the next step we need to Create the Conditional Access policy to Block connection from Named Locations.
Still under Security click on Conditional Access
Click on +New policy
Provide a Name for the Policy “Create a meaningful standard for the name in the Policy”
Click on Assignment to Add or Exclude users from the Policy
Under Users and groups select “All users” then click Done.
Click Cloud apps or action, Here we will select all the cloud apps.
Click on “All cloud apps” then clock “Done”
Next we need to define the Condition for this Policy and here we will select the named Location we have created in earlier steps.
Click on Conditions
Click on Locations
Switch the Toggle to “Yes” and click on “Selected Locations”
Click on “Select” and select the defined location.
Then click select and then done.
Still on the Conditions section of the Policy, Click on “Client apps (Preview)”
Switch the Toggle to Yes and click Done. Leave all values Default.
Click on Grant under Access controls
Select “Block Access” and click select.
Lastly, select “Report-only” under Enable policy. Then click “Create”
Let’s test the Policy , On the Conditional Access Page. Click on “What If”
What is “What If”
The What if tool allows you to understand the impact of your conditional access policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
Select a user in your organisation who falls under this Policy.
Select All Cloud Apps which is default, Specify and Ip address and Country which is in your Defined named Location.
Click On “What If”, to test the policy.
Your results will show as follow
Now Let’s Change the Country to South Africa and use a South Africa Ip Address and run the What If again.
As we can see from the results, the Block Policy does not take effect because the user is signing-in from South Africa.
Now that we happy that the Policy only gets applied when users are connecting from Countries other than South Africa, we can head back to the Conditional Access Policy and Change it to “On”
Then Click Save
This Policy will be applied to all users in the Organisation. You can also add an exclusion if you want to exclude a Global Admin account for security.
Once the user tries to logon to Office 365 and they will receive the following message.