Forum Discussion

Rob_Soligan's avatar
Rob_Soligan
Icon for Microsoft rankMicrosoft
Jun 13, 2025

Strengthening Enterprise Identity Security with Country Based Blocking in Conditional Access

In a Zero-Trust world, identity is the foundational security perimeter. Securing access begins with full visibility and control over authentication activity - including where login attempts originate. By continuously validating the context of every access request, organizations can detect threats early and enforce least privilege with precision. For public sector agencies and global enterprises alike, defending against unauthorized sign-ins from foreign locations is a top priority, especially when those locations fall outside the boundaries of legitimate business activity.

Why Country-Based Blocking Matters

Not every foreign login attempt is malicious but when your organization has no employees, contractors, or systems operating out of certain countries, any authentication activity from those regions should be treated as suspicious by default.

We’ve seen organizations use this capability to:

  • Block access from countries where they have no personnel or partnerships
  • Reduce exposure to credential stuffing or token replay attacks from known threat regions
  • Enforce geo compliance policies related to data sovereignty or regional restrictions

This helps reduce risk without interfering with legitimate business operations—and it’s surprisingly easy to configure.

Fortunately, Microsoft Entra ID (formerly Azure Active Directory) provides a powerful, often overlooked feature in Conditional Access: the ability to block authentication attempts by country using Named Locations.

🔧 Step by Step: How to Block Access by Country Using Conditional Access

1. Create a Named Location for the Country

  1. Go to the Microsoft Entra admin center (Entra Portal).
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Click + Country location.
  4. Name the location (e.g., Blocked - China).
  5. Check the box for the country or countries you want to block (e.g., North Korea).
  6. Click Create.

2. Create the Conditional Access Policy

  1. Still in Conditional Access, click + Create New policy.
  2. Name your policy, e.g., Block Sign-ins from Forbidden Countries.

Under Assignments:

  • Users: Choose All users (or specific groups), and exclude your break glass accounts.
  • Target resources: Select All resources (or target specific apps).

Under Network:

  • Set Configure to Yes.
  • Include: Selected networks and locations, 
    • Choose the Named Location(s) you created earlier (e.g., Blocked - North Korea).

This setup tells Conditional Access to apply the policy unless the sign-in is from an excluded location i.e., from a blocked country.

 

Under Access controls > Grant:

  • Select Block access.
  1. Enable the policy (set to On) or test it first by setting it to Report-only.
  2. Click Create.

🛡️ Best Practices

  • Begin with Report-only mode to simulate the effect of your policy before enforcement.
  • Exclude break-glass (emergency) accounts to avoid accidental lockout.
  • Monitor sign-in activity in Microsoft Entra sign-in logs to validate the policy’s effect.
  • Combine with sign-in risk policies or device compliance to further refine access decisions.
  • Consider the service limits for Named Locations and IP address ranges. While these limits are generous and unlikely to affect most organizations, it is good practice to review them to ensure your design remains scalable. More details can be found in the Microsoft Entra service limits documentation.

Final Thoughts

Blocking access from foreign countries where your organization has no legitimate activity is one of the most straightforward and effective Conditional Access strategies available. It strengthens your authentication perimeter and supports a zero trust approach to identity security.

However, it is important to remember that Named Locations should be part of a broader defense-in-depth strategy. Sophisticated attackers can use VPNs or proxy services to disguise their location, so country-based controls alone are not enough. For stronger protection, combine them with additional signals such as sign-in risk, device compliance, and multi-factor authentication.

Whether you're protecting a government agency or a multinational enterprise, adding country-based controls to your Conditional Access policy set remains a simple but powerful step forward.

🧭 Ready to get started? Dive into the official docs here:
➡️ Block access by location using Conditional Access

➡️ Simplify Conditional Access policy deployment with templates - Microsoft Entra ID | Microsoft Learn

No RepliesBe the first to reply

Resources