Make a change
tickets
ZD Good Afternoon,
We’re trying to implement the Conditional Access Policies to geo-block countries that our users are not based in. We have a base policy that only allows UK logins but we also have some users based in other countries. For those users I have created a separate security group per country and a separate CA policy that includes their country and the UK. I believe this will work for those users.
We also have a handful of users, from the Exec Board, who travel to multiple countries on a regular basis, including some of the fixed countries I have in the above mentioned policies. I’m looing for advice on how best to keep these users secure using the CA policies without generating excessive work for ourselves or impeding their work when they travel. Would you be able to assist please?
Regards,
Lee
our response
Microsoft Entra Identity Protection - I believe you have Entra ID P2 license formerly known as Azure AD P2 license. So, you should be able to use the Identity Protection features. By enabling this, you get alerts on Atypical travel or Malicious IP address or Unfamiliar Sign-In Properties. This way you will reach out to the users when really needed. You can see the full list of detections available here. If you think this will useful, you can follow this document to integrate Identity Protection with Arctic Wolf.
Black List Approach - The way it works is, you can create a CA policy to restrict users from logging in from certain high risk countries depending on your business presence. I know this approach is a bit intrusive in nature but provides a fine balance between security and ease of operation. If any of your users wants to travel to high risk countries, they can inform you and Arctic Wolf can add them to Critical AD users list for the duration of there travel to get higher visibility.
Critical AD Users - Other possible option for monitoring the executive users is by adding them as Critical AD users. It is a non-intrusive way of approach but still gives you the security benefit. We alert you if these users are logging in outside of UK. In order to prevent us from alerting you for logins from some of the countries which they regularly travel, we can whitelist those specific countries only for the exec users.
Trusted Traveller Group - This approach also has worked for users who travels frequently. You manage most of the things on your side like adding users to group and removing them when they are back after travelling. More information here.
Any user irrespective of the role/location should have Multifactor Authentication enabled as a basic since it provides extra layer of security if the identities are compromised and then on top of it we can have controls in place to protect there identities.