How to Use Microsoft 365 Conditional Access to Block Logins from High-Risk Countries

You get an alert that someone just tried to access your Microsoft 365 company account from a country where you have no employees. The login fails but the attempt reminds you that cybercriminals often launch their attacks from specific geographic regions known for malicious activity. Why leave your digital front door unlocked for the entire world? With Microsoft 365 Conditional Access, you can build a virtual geofence that automatically blocks these threats based on location.

Conditional Access works like an automated bouncer for your cloud applications. It lets you set simple yet powerful “if-then” rules. If a login attempt meets certain risk conditions, the system takes a specific security action. For example, if someone tries to log in from a country where your company has no employees, access can be blocked immediately. This approach is highly effective at stopping bulk phishing attempts and password-spraying attacks before they ever reach your users’ passwords. So how do you put it into action?

Step 1: Define Your High-Risk Locations

The first step in setting up a location-based access defense is to identify the locations you consider high risk. To do this, sign in to the Microsoft Entra Admin Center with at least a Conditional Access Administrator role and follow these steps:

1. Navigate to Entra ID, then Conditional Access and finally Named Locations. Once there, select the type of location (i.e., IP Ranges Location or Countries Location).
2. Once you select the location type, give it a name. For the IP Ranges location types, input the IP Ranges and for the Countries location types, select the countries or region.
3. If you have selected IP Ranges, there is an option to mark them as trusted locations. 
4. Once done selecting countries/IP Ranges, click on Create. 

The IP or country lists you have selected form the baseline of your blocking rules. There is also an option to add unknown areas into this block just for extra security.

Step 2: Build Your Conditional Access Policy

The next step is to create a  Conditional Access Policy that uses the location list in Step 1. In this case, do the following: 

1. Navigate to Entra ID, then Conditional Access, then Policies. Once there, select the New Policy and give it a name. 
2. Next, navigate to the Assignments section and select User or Workload Identities. In this section, you also get to set parameters for who and what the policy affects.
3. Under Include, choose All Users and under Exclude, choose Users and Groups and then select your organization’s emergency access accounts. Emergency accounts are excluded to ensure they are always accessible to prevent you from accidentally locking yourself out of your environment during critical situations.

Step 3: Assign Resources and Target Locations

After setting the policy, the next step is to define what the policy protects. As such, perform the following actions: 

1. Browse to Target Resources, then Resources and under Include, choose All Resources. This ensures that the policy applies to all Microsoft 365 apps from SharePoint to Office 365.
2. Navigate to the Network section, set the Configure option to Yes and under Include, choose the option Selected Networks and Locations. Under networks and locations, choose the location block created in Step 1.

The goal of this step is to directly link your list of high-risk login locations to the policy’s enforcement mechanism. 

Step 4: Set the Access Control to Block

The final configuration step is the most straightforward but also the most important step since it ties everything up together.  

1. Browse to the Access Controls section, select the Block Access option, confirm all your settings and set the Enable Policy option to Report-only. 
2. Click on Create to enable the policy. 

This step defines how the policy responds when a user attempts to sign in from a location on your list of blocked countries. It doesn’t prompt the user or send a warning. Access is simply denied and it stops the threat immediately. This decisive action is the core purpose of the policy. It is meant to block unauthorized login attempts from malicious actors in the specified countries or IP ranges.

Step 5: Test and Activate Your Location Block

Before fully activating the policy, it is important to proceed with caution. In Step 4, the policy was set to ‘Report Only’ mode which lets Microsoft log what would happen without actually blocking any user logins. Use this period to review the logs and ensure that no legitimate employees are traveling or working from locations you have designated as blocked.

Once you are completely sure that the policy works as intended without disrupting any business operations, you can return to the policy and toggle it from the “Report Only” mode to “On”. At this point, your location block is now active. 

A layered security approach such as combining geographical access controls with other policies like multi-factor authentication (MFA) for all users creates a strong defense-in-depth strategy. Rather than relying on a single control, you establish multiple smart barriers that work together to protect your organization. By limiting where access can originate, you reduce your attack surface and make your business a less appealing target for opportunistic attackers.

Is your Microsoft 365 environment secured as best as it can be? Let the Access Control experts at Sounds Computers help you design and implement effective Conditional Access policies. Contact us today for a cloud security review and ensure your organization stays protected from international cyber threats.