GeoFiltering Office365 logins

10th August 2021

Requires:
1 mgt account with P1 license $8/m
other user can be a basic user license

Login as mgt account

Set Named Locations https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/NamedLocations
you will need a named location for each country you want to allow logins from

Set Conditional Access Rules Conditional Access – Azure Active Directory admin center
Users and Groups; choose everyone but exclude your mgt account to make sure you don’t lock yourself out
Cloud Apps; choose all
Conditions; locations, Configure=yes, Include=All, Exclude=whatever named location you want to ALLOW
Access Controls=block

test using a VPN like TunnelBear on your cell phone that lets you choose a country. then use your cell phone brower to do a web logon.

Note: If you create Overlapping policies (i created block access outside Canada + USA and Enforce 2FA outside Canada) the LEAST RESTRICTIVE takes precedence. so in my test I got a 2FA prompt when trying to logon from South America. Don’t be fooled into thinking that the rules take effect in listed order.

Why not just set everywhere to Enforce 2FA? Then your users may be bombarded with 2FA requests

Note: Legacy protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA Source A Conditional access policy is also required to turn those off. remember to exempt your trusted sites so they can scan-to-email from a printer.