Share via

Conditional access for international travel

Cathy Olieslaeger 0 Reputation points
2025-08-19T00:09:21.1433333+00:00

Is there a way to set up conditional access to prevent non-US IP addresses from logging into a domain, but allowing the exception of a user traveling abroad for a set period of time?

Or is there a better way to prevent unauthorized access from non-US locations, yet still allowing occasional travel abroad for authorized users? Can that be set up for a device or a user?

Kindly point to the proper policies to implement for the domain or the devices.

Thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Swaroop Kolli 5,160 Reputation points Microsoft External Staff Moderator
    2025-08-19T01:18:15.2133333+00:00

    Hello @Cathy Olieslaeger,

    We can create a conditional access policy which blocks the users from non-US IP Addresses.

    Make sure that you first test it with a specific user or set of users and exclude global admins from it to prevent tenant lockout scenarios. Please find the steps below-

    Navigate to Entra ID > Security > Conditional Access > Manage > Named Locations > Countries location and create a named location for US.

    User's image

    Once you create it as shown in the above image now navigate to Conditional access policies > New Policy and create a policy by selecting all the appropriate conditions-

    Users - Select users on whom you would like to apply

    Target Resources - Select all apps or the apps you would like to apply the policy on

    Network - Exclude the named location you had created as below image

    User's image

    and Grant control as "Block" and change the policy from report only to On. This conditional access policy blocks all the users who are trying to access your resources from any location except the location you had excluded i.e., US locations. Please make sure that you exclude the global admins while creating the policy to prevent tenant lockouts.

    If you want to configure an exclusion for any user who is travelling abroad, then please exclude the user from the policy during the travel and re-include the user once they are back. Unfortunately, there is no specific control based on time period in the conditional access policy.

    This can be setup for users and also users using specific devices and these can be configured in Filter for devices in the same CA policy by using Inclusions and Exclusions based on requirement. It is suggested to use the location-based CA policies on Users rather than User devices.

    Alternatively, you can also configure a CA policy for users to access the resources only from specific devices.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

  2. Ineza Peltyn 0 Reputation points
    2025-08-26T16:11:58.4966667+00:00

    @Swaroop Kolli So there is no more granular way to grant access? Example: We are blocking all non-US IP addresses, but we want one user to work from the UK. Besides creating a named IP location and whitelisting endless IP addresses when they change locations or networks, is there a way to whitelist only the UK for this individual?

    Thank you!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.