Block Access to Azure AD from Sanctioned Countries

When you work in business, keeping on top of all the different rules and regulations can be hard work. So Azure AD does what it can to help its customers understand how these changes may potentially impact their business.

You might have a custom requirement that some specific sanction countries’ access must be blocked to Azure and Office 365 apps.

What is a sanctioned country?

Sanctioned Countries are designated by the U.S. Government as having limited or comprehensive trade sanctions and embargoes imposed for reasons of anti-terrorism, non-proliferation, narcotics trafficking, or other reasons. Sanctions are prohibitions on transactions (e.g., financial exchanges, providing or receiving services of value) with designated countries, entities, or individuals.

Especially if you are working in a financial organization you should be familiar with sanction rules.

I am going to explain how we can block access to our Azure and Office Resources from Sanctioned countries by Conditional Access also you can use this article as a reference to block your apps from some specific locations.

As a first step, we are going to add Sanctioned Countries list to the Conditional Access named locations list.

Click Named locations and then “Countries location”

Select the sanctioned countries based on your country’s requirement and click Create. You can use also this policy to block access from specific countries.

Once you created the Countries list you will be able to see it under the Named locations.

We are going to create a new conditional access policy.

Provide a name for the policy and choose all users.

Choose “All cloud apps” under the “Cloud apps or actions” tab as we want to block access to all cloud apps in our environment from these countries.

Configure the location option and choose the “Sanctioned Countries”.

Access control is going to block access mode as we are going to block access from all sanctioned countries.

Enable the policy “On’ and create the policy

Once you click the create you might get a warning in the policy that shows that there is a risk that you might block yourself. I would suggest adding your break glass account to the exception list or less important user into the exception user list.

You will be able to see your policy status under policies.

If someone tries to access any resources for Azure or Office 365 from the Sanctioned countries is going to block by conditional access.