CA-08: Blocking Access from High-Risk Countries
Overview
This guide walks you through creating a Conditional Access policy that blocks access from countries known for state-sponsored cyber attacks, sanctions violations, or elevated threat activity. This geographically-based control reduces your attack surface by preventing authentication attempts from regions where your organization has no legitimate business.
Control ID: CA-08 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)
Why This Matters
While VPNs can bypass geographic restrictions, blocking high-risk countries still provides significant value:
- Reduces opportunistic attacks - Many attacks originate from specific regions
- Compliance requirements - Export control regulations (ITAR, EAR) may require geographic restrictions
- Sanctions compliance - OFAC and other regulations prohibit business with certain countries
- Reduces noise - Fewer false-positive alerts from regions with no legitimate traffic
- Defense in depth - One layer in a multi-layered security strategy
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher
- Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2
Pre-Configuration Requirements
Before creating this policy:
- Identify blocked countries - Determine which countries to block based on risk and business needs
- Identify traveling users - Consider users who legitimately travel to blocked regions
- Emergency access accounts exist - Break-glass accounts must be excluded
- VPN considerations - Determine if legitimate users connect from blocked countries via VPN
Time Estimate
| Task | Duration |
|---|---|
| Create named location | 10 minutes |
| Create Conditional Access policy | 10 minutes |
| Testing and validation | 30 minutes |
| Total | 1 hour |
Recommended Country Block Lists
Choose countries based on your organization's risk appetite and baseline level:
Level 1 (Minimum - Sanctioned Nations)
Countries with active sanctions and high cyber-threat attribution:
| Country | Reason |
|---|---|
| North Korea (KP) | OFAC sanctions, state-sponsored APT groups |
| Iran (IR) | OFAC sanctions, state-sponsored APT groups |
| Syria (SY) | OFAC sanctions |
Level 2 (Enhanced Security)
Level 1 plus additional high-risk countries:
| Country | Reason |
|---|---|
| Russia (RU) | High APT activity, sanctions |
| Cuba (CU) | OFAC sanctions |
Level 3 (Maximum Security)
Level 1 + Level 2 plus additional risk considerations:
| Country | Reason |
|---|---|
| China (CN) | High APT activity (evaluate business need) |
| Belarus (BY) | Regional risk, sanctions |
| Venezuela (VE) | OFAC sanctions |
Important: Blocking China may have significant business impact. Carefully evaluate before including.
Step-by-Step Instructions
Part 1: Create a Named Location
First, create a named location containing the countries you want to block.
Step 1: Navigate to Named Locations
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Named locations in the submenu
Step 2: Create Countries/Regions Location
- Click + Countries/Regions location
- Enter a name:
High-Risk Countries - Under Determine location by, select Determine location by IP address (recommended)
- Check the countries to include based on your chosen level:
For Level 1:
- Korea, North
- Iran
- Syria
For Level 2 (add to Level 1):
- Russia
- Cuba
For Level 3 (add to Level 2):
- China
- Belarus
- Venezuela
- Click Create
Note: "Determine location by IP address" uses Microsoft's IP geolocation database. This is more accurate than GPS-based location.
Part 2: Create the Blocking Policy
Step 1: Navigate to Conditional Access Policies
- From Named locations, click Policies in the left menu
- Or navigate to Protection > Conditional Access > Policies
Step 2: Create a New Policy
- Click + New policy
- Enter a name:
Block Access from High-Risk Countries
Step 3: Configure Users and Groups
- Under Assignments, click Users
- Select All users under Include
- Under Exclude, click Users and groups
- Add your emergency access accounts
- Optionally add users who legitimately travel to blocked regions
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps
- Select All cloud apps under Include
Alternative - Specific apps only: If you only need to protect certain apps:
- Select Select apps
- Choose the apps requiring geographic protection
Step 5: Configure Location Condition
- Under Conditions, click Locations
- Set Configure to Yes
- Under Include, select Selected locations
- Check High-Risk Countries (the named location you created)
Important: Include the high-risk location (not exclude). The Grant control will block access.
Step 6: Configure Access Controls
- Under Access controls, click Grant
- Select Block access
- Click Select
Step 7: Enable the Policy
- Under Enable policy, select On
- Click Create
Note: For geographic blocking, you can typically enable directly without report-only mode, as the impact is well-defined by the named location.
Handling Legitimate Access from Blocked Countries
Option 1: User Exclusions
For users who regularly travel to blocked countries:
- Create a security group:
Blocked Country Travel Exceptions - Add users who have documented need for access from blocked regions
- Exclude this group from the blocking policy
Option 2: Specific App Exceptions
If certain apps need global access:
- Create a separate policy for the specific app
- Do not include the location condition
- Ensure other security controls (MFA, device compliance) are in place
Option 3: Temporary Access
For temporary travel:
- Add user to exception group temporarily
- Remove after travel period
- Document the exception with approval
Option 4: VPN from Corporate Network
If users must access from blocked countries:
- Require connection to corporate VPN
- VPN exit point should be in allowed country
- Ensure VPN IP ranges are in trusted locations
Verification Checklist
After enabling the policy, verify successful implementation:
Named Location Verification
- Named location appears in the list
- Correct countries are selected
- Location type is "Countries/Regions"
Policy Verification
- Policy appears in Conditional Access policies list with status "On"
- Location condition shows your named location
- Grant control shows "Block"
- Emergency access accounts are excluded
Access Testing
From Allowed Country:
- Sign in from your normal location
- Verify access is granted
- Check sign-in log shows policy as "Not applied" (location not matched)
From Blocked Country (if possible to simulate):
- Use a VPN with exit point in blocked country (for testing only)
- Attempt to sign in
- Verify access is blocked
- Check sign-in log shows policy as "Failure" with "Block" grant
Sign-in Log Analysis
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Filter by location or Conditional Access policy
- Verify blocked sign-ins show your policy
- Check for any unexpected blocks
Troubleshooting
Legitimate Users Being Blocked
Symptom: Users in allowed countries are blocked.
Solutions:
- Check if user is connecting via VPN with exit in blocked country
- Verify their ISP IP is correctly geolocated
- Review sign-in logs for the actual detected location
- Consider adding the user to exception group temporarily
Users in Blocked Countries Not Blocked
Symptom: Access is granted from blocked countries.
Solutions:
- Verify the policy is enabled (not Report-only)
- Check if user is in an excluded group
- Verify the location condition includes the named location
- Check if user is connecting via VPN with exit in allowed country
- Review the sign-in log for policy evaluation
IP Geolocation Inaccuracies
Symptom: Microsoft's location detection is incorrect for some IPs.
Solutions:
- IP geolocation is not 100% accurate
- Corporate proxy servers may show unexpected locations
- ISPs may route traffic through unexpected regions
- Consider using IP-based named locations for known corporate IPs as "trusted"
Mobile Users on International Roaming
Symptom: Users roaming internationally are blocked.
Solutions:
- Mobile carriers may route data through home country (allowed)
- If truly in blocked country, they will be blocked
- Add to exception group if legitimate travel
- Consider VPN requirement for international access
Conflicting Policies
Symptom: Policy is not applying as expected due to other policies.
Solutions:
- Conditional Access uses "most restrictive wins" for block/grant
- A block policy will override grant policies
- Check for policies with overlapping scope
- Use the "What If" tool to diagnose
Policy Configuration Summary
Named Location
| Setting | Value |
|---|---|
| Name | High-Risk Countries |
| Type | Countries/Regions |
| Determination | IP address |
| Countries | Based on chosen level (KP, IR, SY, RU, CU, etc.) |
Conditional Access Policy
| Setting | Value |
|---|---|
| Policy Name | Block Access from High-Risk Countries |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts, travel exception group |
| Cloud Apps | All cloud apps |
| Conditions - Locations | Include: High-Risk Countries |
| Grant | Block access |
| Enable Policy | On |
Monitoring and Maintenance
Regular Reviews
- Monthly: Review blocked sign-in attempts for patterns
- Quarterly: Evaluate country list against current threat landscape
- Annually: Review exception group membership
Updating the Country List
To add or remove countries:
- Navigate to Named locations
- Click on your high-risk countries location
- Add or remove countries as needed
- Click Save
The Conditional Access policy automatically uses the updated location.
Reporting on Blocked Attempts
- Navigate to Sign-in logs
- Add filter: Conditional Access =
Block Access from High-Risk Countries - Add filter: Status =
Failure - Export report for security review
Integration with Other Controls
Combine with Risk Policies
For comprehensive protection:
- Geographic blocking (CA-08) - Stops known bad regions
- Sign-in risk (CA-03) - Catches VPN bypass attempts
- MFA (CA-01) - Adds authentication barrier
Trusted Locations
Create trusted named locations for:
- Corporate office IP ranges
- VPN exit points
- Data center IP ranges
These can be excluded from other policies or used for allow rules.
Compliance Considerations
OFAC Sanctions
If blocking for OFAC compliance, document:
- Countries blocked
- Policy effective date
- Review schedule
- Exception process
Export Control (ITAR/EAR)
For controlled technical data:
- May need to block additional countries
- Consider restricting specific applications vs. all cloud apps
- Document technical controls in compliance documentation
Data Residency
Geographic blocking can support data residency requirements by preventing access from non-permitted regions.
Related Controls
- CA-01: Require MFA for All Users (authentication barrier)
- CA-03: Block or MFA for Risky Sign-Ins (catches VPN bypass)
- CA-09: Zero Trust Network Access (comprehensive location enforcement)
- EXT-03: Restrict Guest Access to Allowlisted Domains (external access control)