CA-08: Blocking Access from High-Risk Countries

Overview

This guide walks you through creating a Conditional Access policy that blocks access from countries known for state-sponsored cyber attacks, sanctions violations, or elevated threat activity. This geographically-based control reduces your attack surface by preventing authentication attempts from regions where your organization has no legitimate business.

Control ID: CA-08 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)

Why This Matters

While VPNs can bypass geographic restrictions, blocking high-risk countries still provides significant value:

  • Reduces opportunistic attacks - Many attacks originate from specific regions
  • Compliance requirements - Export control regulations (ITAR, EAR) may require geographic restrictions
  • Sanctions compliance - OFAC and other regulations prohibit business with certain countries
  • Reduces noise - Fewer false-positive alerts from regions with no legitimate traffic
  • Defense in depth - One layer in a multi-layered security strategy

Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher
  • Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2

Pre-Configuration Requirements

Before creating this policy:

  1. Identify blocked countries - Determine which countries to block based on risk and business needs
  2. Identify traveling users - Consider users who legitimately travel to blocked regions
  3. Emergency access accounts exist - Break-glass accounts must be excluded
  4. VPN considerations - Determine if legitimate users connect from blocked countries via VPN

Time Estimate

TaskDuration
Create named location10 minutes
Create Conditional Access policy10 minutes
Testing and validation30 minutes
Total1 hour

Recommended Country Block Lists

Choose countries based on your organization's risk appetite and baseline level:

Level 1 (Minimum - Sanctioned Nations)

Countries with active sanctions and high cyber-threat attribution:

CountryReason
North Korea (KP)OFAC sanctions, state-sponsored APT groups
Iran (IR)OFAC sanctions, state-sponsored APT groups
Syria (SY)OFAC sanctions

Level 2 (Enhanced Security)

Level 1 plus additional high-risk countries:

CountryReason
Russia (RU)High APT activity, sanctions
Cuba (CU)OFAC sanctions

Level 3 (Maximum Security)

Level 1 + Level 2 plus additional risk considerations:

CountryReason
China (CN)High APT activity (evaluate business need)
Belarus (BY)Regional risk, sanctions
Venezuela (VE)OFAC sanctions

Important: Blocking China may have significant business impact. Carefully evaluate before including.


Step-by-Step Instructions

Part 1: Create a Named Location

First, create a named location containing the countries you want to block.

Step 1: Navigate to Named Locations

  1. Sign in to the Microsoft Entra admin center
  2. In the left navigation, expand Protection
  3. Select Conditional Access
  4. Click Named locations in the submenu

Step 2: Create Countries/Regions Location

  1. Click + Countries/Regions location
  2. Enter a name: High-Risk Countries
  3. Under Determine location by, select Determine location by IP address (recommended)
  4. Check the countries to include based on your chosen level:

For Level 1:

  • Korea, North
  • Iran
  • Syria

For Level 2 (add to Level 1):

  • Russia
  • Cuba

For Level 3 (add to Level 2):

  • China
  • Belarus
  • Venezuela
  1. Click Create

Note: "Determine location by IP address" uses Microsoft's IP geolocation database. This is more accurate than GPS-based location.


Part 2: Create the Blocking Policy

Step 1: Navigate to Conditional Access Policies

  1. From Named locations, click Policies in the left menu
  2. Or navigate to Protection > Conditional Access > Policies

Step 2: Create a New Policy

  1. Click + New policy
  2. Enter a name: Block Access from High-Risk Countries

Step 3: Configure Users and Groups

  1. Under Assignments, click Users
  2. Select All users under Include
  3. Under Exclude, click Users and groups
  4. Add your emergency access accounts
  5. Optionally add users who legitimately travel to blocked regions

Step 4: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Select All cloud apps under Include

Alternative - Specific apps only: If you only need to protect certain apps:

  1. Select Select apps
  2. Choose the apps requiring geographic protection

Step 5: Configure Location Condition

  1. Under Conditions, click Locations
  2. Set Configure to Yes
  3. Under Include, select Selected locations
  4. Check High-Risk Countries (the named location you created)

Important: Include the high-risk location (not exclude). The Grant control will block access.

Step 6: Configure Access Controls

  1. Under Access controls, click Grant
  2. Select Block access
  3. Click Select

Step 7: Enable the Policy

  1. Under Enable policy, select On
  2. Click Create

Note: For geographic blocking, you can typically enable directly without report-only mode, as the impact is well-defined by the named location.


Handling Legitimate Access from Blocked Countries

Option 1: User Exclusions

For users who regularly travel to blocked countries:

  1. Create a security group: Blocked Country Travel Exceptions
  2. Add users who have documented need for access from blocked regions
  3. Exclude this group from the blocking policy

Option 2: Specific App Exceptions

If certain apps need global access:

  1. Create a separate policy for the specific app
  2. Do not include the location condition
  3. Ensure other security controls (MFA, device compliance) are in place

Option 3: Temporary Access

For temporary travel:

  1. Add user to exception group temporarily
  2. Remove after travel period
  3. Document the exception with approval

Option 4: VPN from Corporate Network

If users must access from blocked countries:

  1. Require connection to corporate VPN
  2. VPN exit point should be in allowed country
  3. Ensure VPN IP ranges are in trusted locations

Verification Checklist

After enabling the policy, verify successful implementation:

Named Location Verification

  • Named location appears in the list
  • Correct countries are selected
  • Location type is "Countries/Regions"

Policy Verification

  • Policy appears in Conditional Access policies list with status "On"
  • Location condition shows your named location
  • Grant control shows "Block"
  • Emergency access accounts are excluded

Access Testing

From Allowed Country:

  1. Sign in from your normal location
  2. Verify access is granted
  3. Check sign-in log shows policy as "Not applied" (location not matched)

From Blocked Country (if possible to simulate):

  1. Use a VPN with exit point in blocked country (for testing only)
  2. Attempt to sign in
  3. Verify access is blocked
  4. Check sign-in log shows policy as "Failure" with "Block" grant

Sign-in Log Analysis

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Filter by location or Conditional Access policy
  3. Verify blocked sign-ins show your policy
  4. Check for any unexpected blocks

Troubleshooting

Legitimate Users Being Blocked

Symptom: Users in allowed countries are blocked.

Solutions:

  1. Check if user is connecting via VPN with exit in blocked country
  2. Verify their ISP IP is correctly geolocated
  3. Review sign-in logs for the actual detected location
  4. Consider adding the user to exception group temporarily

Users in Blocked Countries Not Blocked

Symptom: Access is granted from blocked countries.

Solutions:

  1. Verify the policy is enabled (not Report-only)
  2. Check if user is in an excluded group
  3. Verify the location condition includes the named location
  4. Check if user is connecting via VPN with exit in allowed country
  5. Review the sign-in log for policy evaluation

IP Geolocation Inaccuracies

Symptom: Microsoft's location detection is incorrect for some IPs.

Solutions:

  1. IP geolocation is not 100% accurate
  2. Corporate proxy servers may show unexpected locations
  3. ISPs may route traffic through unexpected regions
  4. Consider using IP-based named locations for known corporate IPs as "trusted"

Mobile Users on International Roaming

Symptom: Users roaming internationally are blocked.

Solutions:

  1. Mobile carriers may route data through home country (allowed)
  2. If truly in blocked country, they will be blocked
  3. Add to exception group if legitimate travel
  4. Consider VPN requirement for international access

Conflicting Policies

Symptom: Policy is not applying as expected due to other policies.

Solutions:

  1. Conditional Access uses "most restrictive wins" for block/grant
  2. A block policy will override grant policies
  3. Check for policies with overlapping scope
  4. Use the "What If" tool to diagnose

Policy Configuration Summary

Named Location

SettingValue
NameHigh-Risk Countries
TypeCountries/Regions
DeterminationIP address
CountriesBased on chosen level (KP, IR, SY, RU, CU, etc.)

Conditional Access Policy

SettingValue
Policy NameBlock Access from High-Risk Countries
Users - IncludeAll users
Users - ExcludeEmergency access accounts, travel exception group
Cloud AppsAll cloud apps
Conditions - LocationsInclude: High-Risk Countries
GrantBlock access
Enable PolicyOn

Monitoring and Maintenance

Regular Reviews

  1. Monthly: Review blocked sign-in attempts for patterns
  2. Quarterly: Evaluate country list against current threat landscape
  3. Annually: Review exception group membership

Updating the Country List

To add or remove countries:

  1. Navigate to Named locations
  2. Click on your high-risk countries location
  3. Add or remove countries as needed
  4. Click Save

The Conditional Access policy automatically uses the updated location.

Reporting on Blocked Attempts

  1. Navigate to Sign-in logs
  2. Add filter: Conditional Access = Block Access from High-Risk Countries
  3. Add filter: Status = Failure
  4. Export report for security review

Integration with Other Controls

Combine with Risk Policies

For comprehensive protection:

  1. Geographic blocking (CA-08) - Stops known bad regions
  2. Sign-in risk (CA-03) - Catches VPN bypass attempts
  3. MFA (CA-01) - Adds authentication barrier

Trusted Locations

Create trusted named locations for:

  • Corporate office IP ranges
  • VPN exit points
  • Data center IP ranges

These can be excluded from other policies or used for allow rules.


Compliance Considerations

OFAC Sanctions

If blocking for OFAC compliance, document:

  • Countries blocked
  • Policy effective date
  • Review schedule
  • Exception process

Export Control (ITAR/EAR)

For controlled technical data:

  • May need to block additional countries
  • Consider restricting specific applications vs. all cloud apps
  • Document technical controls in compliance documentation

Data Residency

Geographic blocking can support data residency requirements by preventing access from non-permitted regions.


Related Controls

  • CA-01: Require MFA for All Users (authentication barrier)
  • CA-03: Block or MFA for Risky Sign-Ins (catches VPN bypass)
  • CA-09: Zero Trust Network Access (comprehensive location enforcement)
  • EXT-03: Restrict Guest Access to Allowlisted Domains (external access control)

Additional Resources