CA-08Easy

How to Fix: Block Access from High-Risk Countries

Step-by-step guide to implement block access from high-risk countries in your Microsoft 365 environment.

5-10 minutes

Estimated Time

4

Steps

medium

Severity

Recommended Secure

Baseline Level

Why This Matters

Blocking access from high-risk countries reduces geopolitical risk and helps comply with export control regulations (ITAR, EAR). While VPNs can bypass this control, it stops opportunistic attacks and reduces your attack surface from nation-state threat actors.

Prerequisites

  • 1Global Administrator or appropriate admin role in Microsoft Entra ID
  • 2Access to Microsoft Entra admin center (entra.microsoft.com)
  • 3Microsoft Entra ID P1 or higher license
  • 4Conditional Access Administrator role (minimum)

Expected Configuration

  • Conditional Access policy blocks access from high-risk countries
  • Country-based named location configured with sanctioned/high-risk nations
  • Level 1: North Korea, Iran, Syria
  • Level 2: + Russia, Cuba
  • Level 3: + China, Belarus, Venezuela

Remediation Steps

1

Review Existing Policies

Examine your current Conditional Access policies.

  • Navigate to Microsoft Entra admin center
  • Go to Protection > Conditional Access
  • Review existing policies and their configurations
2

Design Policy Configuration

Plan the Conditional Access policy that addresses this control.

  • Define target users and groups
  • Determine target applications
  • Plan grant and session controls
3

Create or Update Policy

Implement the Conditional Access policy.

  • Create new policy or modify existing one
  • Configure assignments (users, apps, conditions)
  • Set appropriate grant and session controls
  • Start in Report-only mode for testing
4

Test and Enable

Validate the policy works correctly before full enforcement.

  • Monitor Report-only results
  • Test with pilot group
  • Switch to On when confident
  • Run TrueConfig scan to verify compliance

Auto-Remediation Available

TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.

Learn about auto-remediation

Related Resources

Control Reference

Full control documentation

FAQ

Common questions answered

Full Guide

Detailed implementation guide

Conditional Access Controls

Related security controls

Automate Your Security Configuration

TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.

Start Free Trial
← All ControlsView Control Details →