1

I have a user (VP) that is out of the country in CA and cannot login due to a CA policy blocking that country.

Conditional Access Policy is default blanket and block all countries checked nothing special

I ran the diagnose and solve problems for the users sign in logs should I just uncheck the Canada blocked country until she gets back Monday next week or is there something I can add to just let her access and not the whole country I see where I can add the ip address that is recorded but not sure what to add at the end of the ip..an example is 40.77.182.32/27 how would I find the /number for her ip address?

The person that created this policy has left company and a policy of why and what to do it not clear so I am trying to find out best practice and easiest fix

4 Spice ups
2

My advise here would be first to check with whomever made the decision to block Canada and see if you can unblock it.

Alternatively you will need the IP addresses that they might sign in from, and there could be more than one if they are signing in from mobile, on hotel wifi, etc

They could go to any site that shows an IP address such as

https://whatismyipaddress.com/

etc.

Now in the conditional access policy you have a network section (used to say locations, it’s in the process of being re-arranged for Global Secure Access) is where you define what’s included and what’s excluded.

This is going to depend entirely on how you blocked it to begin with. For example you might have a policy that just blocks locations, and included are countries you wish to block and then under grant you have “block”. If that’s the case, then you would put their IPs in a location and list that under excluded.

Without knowing how you are blocking it it’s hard to tell you how to unblock it.

1 Spice up
3

If you just want to allow her exact IP and not the entire country, use the CIDR notation /32. That means you’re allowing just one specific IP address, no more, no less. So if her IP is 203.0.113.42, you’d add it as 203.0.113.42/32.

Be aware though, if her IP is dynamic (as in, changes frequently), this may not hold. In that case, consider temporarily exempting her user account from the Conditional Access policy until she returns

3 Spice ups
5

Conditional Access Policy is default blanket and block all countries checked nothing special

1 Spice up
6

Thank you how would I do this just temp for her?

1 Spice up
7

In the Conditional Access policy, the section for users has a link for Exclude Users where you can add users and groups who are exceptions to the policy.

3 Spice ups
(Levan-IT) 8

is there something I can add to just let her access and not the whole country

You can exclude users/groups in the specific CA policy. You could exclude just her user account from the policy temporarily. This is probably the simplest fix that doesn’t open too many security holes.

1 Spice up
9

If you are blocking all countries, how is anyone logging in?

1 Spice up
10

I set this up. We have a Security Group called VIP-Travel-Outside-US that is excluded from the CA policy Block Outside US. When a doctor wants to travel to a wedding or family vacation in Italy, we determine if they “should” be working during that time. If so we add them to the security group on the morning of travel, get their time of Arrival back in country, and remove them from that security group the morning of travel back.

4 Spice ups
11

@Jake1590 This is the best answer for sure. Security exemptions done via group membership is easier to manage than individual exemptions.

You can also use scripts or access reviews to automate reviewing members in the travel-outside Entra group in case you forget to manually remove them when they return.

4 Spice ups
12

This, plus we initiate a sign out in O365 upon return to the country. In the past we have run into issues with Internet tabs/apps holding onto a token with the out of country login and the force sign out when they return seems to cut down on a lot of that noise.

13

That’s another reason. People signing in on public kiosks/libraries etc potentially staying signed in. I have one company where someone signed into a library computer with their corporate creds and now that computer’s office installation is managed by their 365 apps config portal with no apparent way to get rid of it as it is not registered in intune/azure.

14

We created an AD Security Group “Exclude_BlockedCountries_Policy” and excluded that group from the trusted countries filter on our CA policy. This way when someone travels we can add them (temporarily) to that group for the duration of the trip and they can still login and we don’t have to manually edit the CA policy every time.

depending on what your policy looks like you may need to separate “Block Countries” into its own policy so you are only excluding the user from the trusted countries and not the other CA access controls

image
image1390×1717 156 KB

Works good when people remember to tell us they are travelling.

1 Spice up
15

That is a good example of why you want to have controls in your" Conditional Access Policy >> Session" to control how long a session lives. Including killing Persistent Browser sessions.

image
image613×1526 72 KB

Or use Conditional Access to restrict sign in to Entra ID Registered \ Domain Joined (they are different) devices only.

16

Getting there with them had to get mobile devices onboarded in Intune first.