🛡️ Microsoft Entra ID Conditional Access By Location is not defined🟢⚪

• Contextual name: 🛡️ Conditional Access By Location is not defined🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/conditional-access-by-location
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Description

Open File

Description

Caution: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.

Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.

Rationale

Conditional Access, when used as a deny list for the tenant or subscription, can prevent ingress or egress of traffic to countries that are outside the scope of interest (e.g., customers, suppliers) or the jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.

Note on Assessment Status: Because the determination of entities to be included or excluded is specific and unique to each organization, the assessment status for this recommendation is considered 'Manual' even though some elements for automation (CLI, PowerShell) are provided.

... see more

Remediation

Open File

Remediation

From Azure Portal

Part 1 of 2 - Create the policy and enable it in Report-only mode

1. In the Azure portal, open the portal menu in the upper left and select Microsoft Entra ID.
2. Scroll down in the menu on the left, and select Security.
3. On the left, select Conditional Access.
4. Select Policies.
5. Select + New policy, then:
6. Provide a name for the policy.
7. Under Assignments, select Users, then:
   • Under Include, select All users.
   • Under Exclude, check Users and groups and only select emergency access accounts and service accounts (Note: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA).
8. Under Assignments, select Target resources, then:
   • Under Include, select All cloud apps.
   • Leave Exclude blank unless you have a well-defined exception.
9. Under Conditions, select Locations, then:
   • Select Include, then add entries for locations for those that should be blocked.
   • Select Exclude, then add entries for those that should be allowed (Important: Ensure that all Trusted Locations are in the Exclude list).

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.2.2 Ensure that an exclusionary geographic Conditional Access policy is considered (Manual)			1		no data
💼 Cloudaware Framework → 💼 General Access Controls			12		no data