Skip to main content

Remediation

From Azure Portal​

Part 1 of 2 - Create the policy and enable it in Report-only mode​

  1. From Azure Home open the portal menu in the top left, and select Microsoft Entra ID.
  2. Scroll down in the menu on the left, and select Security.
  3. Select on the left side Conditional Access.
  4. Click the + New policy button.
  5. Provide a name for the policy.
  6. Under Assignments, select Users or workload identities then:
    • Under Include, select All users.
    • Under Exclude, check Users and groups and only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA).
  7. Under Assignments, select Cloud apps or actions then:
    • Under Include, select All cloud apps.
    • Leave Exclude blank unless you have a well defined exception.
  8. Under Conditions, select Locations then:
    • Select Include, then add entries for locations for those that should be blocked.
    • Select Exclude, then add entries for those that should be allowed (IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.).
  9. Under Access Controls, select Grant and Confirm that Block Access is selected.
  10. Set Enable policy to Report-only.
  11. Click Create.

Allow some time to pass to ensure the sign-in logs capture relevant conditional access events. These events will need to be reviewed to determine if additional considerations are necessary for your organization (e.g. legitimate locations are being blocked and investigation is needed for exception).

NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of the policy.

Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On​

  1. With your policy now in report-only mode, return to the Microsoft Entra blade and click on Sign-in logs.
  2. Review the recent sign-in events - click an event then review the event details (specifically the Report-only tab) to ensure:
    • The sign-in event you're reviewing occurred after turning on the policy in report-only mode.
    • The policy name from step 5 above is listed in the Policy Name column.
    • The Result column for the new policy shows that the policy was Not applied (indicating the location origin was not blocked).
  3. If the above conditions are present, navigate back to the policy name in Conditional Access and open it.
  4. Toggle the policy from Report-only to On.
  5. Click Save.

From PowerShell​

First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the Get-MgIdentityConditionalAccessNamedLocation which outputs the Location IDs for use with conditional access policies:

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = <"All" | "Office365" | "app ID" | @("app ID 1", "app ID 2", etc...)> $conditions.Applications.ExcludeApplications = <"Office365" | "app ID" | @("app ID 1", "app ID 2", etc...)> $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = <"All" | "None" | "GuestsOrExternalUsers" | "Specific User ID" | @("User ID 1", "User ID 2", etc.)> $conditions.Users.ExcludeUsers = <"GuestsOrExternalUsers" | "Specific User ID" | @("User ID 1", "User ID 2", etc.)> $conditions.Users.IncludeGroups = <"group ID" | "All" | @("Group ID 1", "Group ID 2", etc...)> $conditions.Users.ExcludeGroups = <"group ID" | @("Group ID 1", "Group ID 2", etc...)> $conditions.Users.IncludeRoles = <"Role ID" | "All" | @("Role ID 1", "Role ID 2", etc...)> $conditions.Users.ExcludeRoles = <"Role ID" | @("Role ID 1", "Role ID 2", etc...)> $conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition $conditions.Locations.IncludeLocations = <"Location ID" | @("Location ID 1", "Location ID 2", etc...) > $conditions.Locations.ExcludeLocations = <"AllTrusted" | "Location ID" | @("Location ID 1", "Location ID 2", etc...)> $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = "OR" $controls.BuiltInControls = "block"

Next, update the existing conditional access policy with the condition set options configured with the previous commands:

Update-MgIdentityConditionalAccessPolicy -PolicyId <policy ID> -Conditions $conditions -GrantControls $controls

To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above:

New-MgIdentityConditionalAccessPolicy -Name "Policy Name" -State <enabled|disabled> -Conditions $conditions -GrantControls $controls