Introduction
In today’s cybersecurity landscape, organizations must proactively protect their environments from threats such as phishing, ransomware, and unauthorized access attempts. One of the most effective ways to enhance security is by implementing Azure AD Conditional Access policies.
Recently, after encountering a ransomware email attack, I configured Conditional Access to block all non-USA IP addresses, ensuring that only users within the United States could access our resources. This blog will walk you through why Conditional Access is essential, how to configure it, and how to automate it using PowerShell.
๐น What is Conditional Access?
Azure AD Conditional Access is a security feature that allows organizations to enforce policies that control user access based on conditions such as:
โ
User location (Geo-blocking)
โ
Device compliance (Require Intune enrollment)
โ
Risk detection (Block high-risk sign-ins)
โ
MFA enforcement (Require multi-factor authentication)
โ
App & session controls (Restrict access to sensitive apps)
These policies help organizations reduce the attack surface and protect against unauthorized access.
๐น Scenario: Blocking All Non-USA IPs
One of the most common Conditional Access use cases is geo-blocking, which prevents users from signing in from outside an approved country (e.g., the USA).
Step 1: Creating the Conditional Access Policy Manually
- Go to Azure AD โ Security โ Conditional Access.
- Click New policy โ Name it โBlock Non-USA Access.โ
- Under Assignments:
- Users: Select All users or specific groups.
- Conditions:
- Locations โ Include Any location
- Exclude Trusted Locations โ Select United States
- Access Control โ Grant Block access.
- Click Create and enable the policy.
๐น Automating Conditional Access with PowerShell
Instead of manually configuring policies, you can use PowerShell and Microsoft Graph API to automate Conditional Access setup.
Step 2: Install Required PowerShell Modules
powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser
Step 3: Authenticate and Connect to Microsoft Graph
powershellCopyEditConnect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
Step 4: Create a Conditional Access Policy to Block Non-USA Logins
powershellCopyEdit$policy = @{
displayName = "Block Non-USA IPs"
state = "enabled"
conditions = @{
applications = @{
includeApplications = @("All")
}
locations = @{
includeLocations = @("All")
excludeLocations = @("US") # Exclude USA IPs from being blocked
}
}
grantControls = @{
builtInControls = @("Block")
}
}
New-MgConditionalAccessPolicy -BodyParameter $policy
๐น Best Practices for Conditional Access Policies
โ๏ธ Always test policies in report-only mode before enabling them.
โ๏ธ Exclude trusted accounts (e.g., Global Admins) to prevent accidental lockouts.
โ๏ธ Combine Conditional Access with MFA for enhanced security.
โ๏ธ Review Sign-in logs to monitor failed login attempts and adjust policies.
๐น Summary
Implementing Conditional Access is a crucial step in securing your environment. By blocking non-USA IPs, you prevent unauthorized access and reduce the risk of cyber threats such as ransomware attacks. Automating this setup with PowerShell ensures consistent security across your organization.
โ Now, your Conditional Access policy is in place, securing your environment from global threats!