4

In AzureAD, I have a global conditional access policy (cap) that prevents users from accessing their accounts from non approved countries (I do realize this is not an accurate/reliable means of securing an environment). We do have MFA configured for these as well.

When people travel we put them in an exception group so they can go to Bali or wherever.

There is a finite list of people that remote work from locations we generally ban e.g. India, Ghana etc. For those folks, they are permanently in the exception list. That list is meant to be temporary.

I could make more CAPs for these individual users but that could get out of hand if I made a block-all-but-india for example and those users would be in the exclude of the main policy. Would be messy real quick.

I want to be able to say that an individual can go to this one country but the rest of them are banned just like everyone else. Best I can tell CAP is not meant for than granularity.

Is there a CAP methodology I could use to implement what I am describing?

Improve this question
7
  • 2
    My first thought: Why don't you set up a VPN server for travellers and require travellers to use that when they need to access their account while abroad?
    – HBruijn
    Commented Aug 3, 2023 at 15:36
  • 3
    I do realize this is not an accurate/reliable means of securing an environment - It's not everything you should be doing (hopefully you're requiring some kind of MFA for access to Office 365), but using Geo based CAP's to limit the locations users can access Office 365 from is certainly high on my list of things you should/must be doing.
    – joeqwerty
    Commented Aug 3, 2023 at 19:15
  • 3
    According to reading I've done, 17% of cyber attacks originate from the USA. That means that 83% of cyber attacks originate from outside of the USA. I've also read that 90% of all Office 365 logon attempts originate from China. You should be blocking access to Office 365 for your users from outside of the actual locations they work from, making exceptions when/where needed.
    – joeqwerty
    Commented Aug 3, 2023 at 19:15
  • The most interesting incursion I worked originated at a resort in the middle of Cambodia. A cafe or wifi something in Bali is favorable territory for a threat actor. There are documented occurrences of threat actor groups that target high value travelers. Even on wifi presumed private. Also some countries (China notably) the state requires mandatory access to technology infrastructure, no court needed. Meaning they basically are provided user accounts and logon and "audit" networks anywhere to ensure it conforms with security and privacy requirements.
    – Greg Askew
    Commented Aug 3, 2023 at 19:59
  • 1
    For the most part we only allow CA,US and a few EU countries virtually everywhere else is blocked for all applications. This is handled by one CAP and a named location for the countries. However, people travel ,for mostly vacation, and need to be able to access their mail while abroad. So a user going to Japan would need an exception where everyone else in the company still needs to be blocked. The motivation is to reduce our attack footprint. Currently the users are given exceptions for everywhere for the duration of travel. That exception is built into the aforementioned CAP.
    – Matt
    Commented Jan 7 at 14:02

1 Answer 1

Reset to default
1
+100

You could create an automation runbook with a PowerShell script which adds a user to a group and automatically deletes them from the group after the month. The PowerShell script would create a file in a storage account with user x excluded date and then other script in the same runbook queries that file and deletes the file when they are in that group for example for a month. This does require some custom scripting work And then exclude that group from the non approved locations in Conditonal Access.

Here is an example of those two scripts

# Script 1: addUserToGroup.ps1

# Define variables
$storageAccountName = "<storage_account_name>"
$containerName = "<container_name>"
$fileName = "exclusion_dates.txt"
$groupName = "<group_name>"
$username = "<username>"

# Add user to the group
Add-ADGroupMember -Identity $groupName -Members $username

# Get the current date and calculate the exclusion date (1 month later)
$currentDate = Get-Date
$exclusionDate = $currentDate.AddMonths(1)

# Format the exclusion date
$formattedDate = Get-Date $exclusionDate -Format "yyyy-MM-dd"

# Create or update the file in the storage account with the exclusion date
$filePath = "$containerName/$fileName"
"$username $formattedDate" | Set-Content -Path $filePath -Force

Write-Host "User $username added to group $groupName. Exclusion date recorded."

# Script 2: checkExclusionAndRemoveUser.ps1

# Define variables
$storageAccountName = "<storage_account_name>"
$containerName = "<container_name>"
$fileName = "exclusion_dates.txt"
$groupName = "<group_name>"
$username = "<username>"

# Get the current date
$currentDate = Get-Date

# Query the file for user exclusion date
$filePath = "$containerName/$fileName"
$exclusionInfo = Get-Content -Path $filePath

# Check if the user should be removed from the group
if ($exclusionInfo -ne $null -and $exclusionInfo -match "$username (\d{4}-\d{2}-\d{2})") {
    $storedDate = $matches[1]
    $storedDateObject = Get-Date $storedDate
    if ($currentDate -ge $storedDateObject) {
        # Remove user from the group
        Remove-ADGroupMember -Identity $groupName -Members $username -Confirm:$false

        # Log the removal event (you can customize this part)
        $logFilePath = "group_removal_log.txt"
        "$currentDate: Removed $username from $groupName" | Out-File -Append -FilePath $logFilePath

        Write-Host "User $username removed from group $groupName."
    }
    else {
        Write-Host "User $username is still within the exclusion period."
    }
}
else {
    Write-Host "No exclusion information found for user $username."
}
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .