In AzureAD, I have a global conditional access policy (cap) that prevents users from accessing their accounts from non approved countries (I do realize this is not an accurate/reliable means of securing an environment). We do have MFA configured for these as well.
When people travel we put them in an exception group so they can go to Bali or wherever.
There is a finite list of people that remote work from locations we generally ban e.g. India, Ghana etc. For those folks, they are permanently in the exception list. That list is meant to be temporary.
I could make more CAPs for these individual users but that could get out of hand if I made a block-all-but-india for example and those users would be in the exclude of the main policy. Would be messy real quick.
I want to be able to say that an individual can go to this one country but the rest of them are banned just like everyone else. Best I can tell CAP is not meant for than granularity.
Is there a CAP methodology I could use to implement what I am describing?