In this lesson, we cover how to create and apply a Conditional Access policy that enhances security by restricting user logins to approved geographic locations, specifically within the United States. Restricting sign-ins based on location helps reduce the risk of unauthorized access attempts from high-risk or unexpected regions, such as foreign countries commonly associated with malicious activity. This Conditional Access policy will require all devices attempting to login physically be in the U.S. by examining the IP address of each device.

  1. Log into the Entra ID Admin Center.

    If you are already in Entra, click on Home in the upper left corner of the screen.

  2. From the Navigation Pane under Protection, select Conditional Access.

  1. Under Manage, select Named locations.

  1. At the top of the page, click + Countries location.

  1. Under Name, type: Approved Countries. Scroll down and select United States and Create at the bottom of the screen

We have now set the known location from which Entra will allow logins. Now, we need to create the conditional access policy that tells Entra to block login attempts from all other countries than the approved countries.

  1. Under Protection, click on Conditional Access and then Create new policy.

  1. Under name, enter CA02: Block Access from Other Countries

  1. Under Users, click on 0 users and groups selected.

  1. Under Include, select All users.

  1. Under Exclude, select Users and groups. Then click on users and groups selected.

    Note: If the pop-up window does not open automatically, click 0 users and groups selected

  1. From the pop-up window, select the Emergency Access Account

  2. Click Select at the bottom of the screen

  1. Under Target resources, click No target resources selected

  1. Under Select what this policy applies to, make sure the dropdown menu shows Resources (formerly cloud apps).

  2. Under Include, click on All resources (formerly ‘All cloud apps’).

  1. Click Not configured under Network.

  1. Under Configure, click Yes.

  2. Under Include, click Any network or location.

  1. Click on Exclude then Selected networks and locations

  2. Under Select, click None

  1. In the pop-up window, select Approved Countries

  2. Click Save at the bottom of the screen

  1. Under Conditions, click 1 condition selected

  1. Under Client apps, click Not configured

  1. Click Yes to configure settings

  2. Ensure that the checkboxes next to Browser and Mobile apps and desktop clients are checked

  3. Click Done

  1. Under Filter for devices, click Not Configured

  1. Click Yes to configure the settings

  1. Under Devices matching the rule, click Exclude filtered devices from policy

  2. In the filter rule field, use the dropdown menus to select IsCompliant under Property, Equals under Operator, and True under Value.

  3. At the bottom of the page, click Done

  1. Under Grant, click 0 controls selected

  1. Click Block access

  2. Click Require one of the selected controls

  3. Click Done

You may see a warning note about not locking yourself out. Not to worry - we have excluded the BreakTheGlass account as a failsafe way to access the tenant in the case that your account is ever locked out. It is not necessary to exclude yourself from this policy.

  1. Click on Create at the bottom of the screen.