Understanding Geographic-Based Access Controls

Geographic-based access controls are crucial for organizations looking to maintain compliance with international regulations or enhance security by removing some low hanging fruit. One specific use case is blocking access from OFAC sanctioned countries while allowing access from trusted locations.

Implementation Steps

1. Create a Report-Only Policy

First, create a policy in report-only mode to assess impact:

  1. Navigate to Azure Portal > Azure AD > Security > Conditional Access
  2. Create a new policy
  3. Configure the following settings: Users and groups: All users Cloud apps or actions: All cloud apps Conditions: Locations > Configure > Selected locations Access controls: Block access Enable policy: Report-only

2. Configure Location Conditions

Create a list of blocked locations:

  1. Under Conditions > Locations, select “Selected locations”
  2. Add locations corresponding to OFAC sanctioned countries
  3. You can find the current list at: https://ofac.treasury.gov/sanctions-programs-and-country-information

3. Monitor and Analyze

Before enforcing the policy:

  1. Enable audit logging
  2. Monitor sign-in logs for:
  • Location data
  • Policy hits
  • False positives
  1. Review impact over a minimum period of time (days or weeks)

4. Policy Enforcement

Once confident in the policy:

  1. Change from “Report-only” to “On”
  2. Monitor for:
  • User impact
  • Help desk tickets
  • Failed sign-in attempts

Best Practices

  • Always test with report-only mode first
  • Include exception groups for specific use cases: remember to exempt your break-glass accounts!
  • Document all excluded locations and reasoning
  • Regular review of OFAC countries list
  • Maintain audit logs for compliance

Production Configuration Example

Name: Block OFAC Countries State: Enabled Conditions: Users: All Users Cloud apps: All cloud apps Locations: Include: Selected locations LocationList: [OFAC Sanctioned Countries] Access Controls: Grant: Block access Session Controls: None

Remember to implement this alongside other security controls like MFA and device compliance for a comprehensive security strategy.