Skip to main content

πŸ“ Microsoft Entra ID Conditional Access By Location is not defined 🟒

  • Contextual name: πŸ“ Conditional Access By Location is not defined 🟒
  • ID: /ce/ca/azure/microsoft-entra-id/conditional-access-by-location
  • Located in: πŸ“ Microsoft Entra ID

Flags​

Our Metadata​

  • Policy Type: BEST_PRACTICE
  • Policy Category:
    • SECURITY

Description​

Open File

Description​

CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.

Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.

Rationale​

Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.

Impact​

Microsoft Entra ID P1 or P2 is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to-site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

Part 1 of 2 - Create the policy and enable it in Report-only mode​
  1. From Azure Home open the portal menu in the top left, and select Microsoft Entra ID.
  2. Scroll down in the menu on the left, and select Security.
  3. Select on the left side Conditional Access.
  4. Click the + New policy button.
  5. Provide a name for the policy.
  6. Under Assignments, select Users or workload identities then:
    • Under Include, select All users.
    • Under Exclude, check Users and groups and only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA).
  7. Under Assignments, select Cloud apps or actions then:
    • Under Include, select All cloud apps.
    • Leave Exclude blank unless you have a well defined exception.
  8. Under Conditions, select Locations then:
    • Select Include, then add entries for locations for those that should be blocked.
    • Select Exclude, then add entries for those that should be allowed (IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.).

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered - Level 1 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 2.2.2 Ensure that an exclusionary Geographic Access Policy is considered (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό General Access Controls10