WARNING: The impact of enabling this setting is high: make sure the list of authorized countries is up to date to avoid any sign-in issues. If you apply this setting on many tenants at once through the profile feature, make sure all tenants have the same requirements.


Summary


The Block Sign-Ins from Unauthorized Countries setting is available with an Entra ID P1 or P2 license as it uses Conditional Access Policies. Before enabling it, make sure your users are licensed appropriately. If this setting is applied via a profile on tenants who do not have these licenses, the setting will be ignored on the concerned tenants.


When enabling this setting, any sign-in attempt from a country listed as unauthorized in Office Protect will be blocked.


Setting a geographic fence is a good way to prevent activity on a potentially compromised account. Note that this will not protect from hackers accessing the account using a VPN or a Proxy, but it will make the process much more difficult. This policy can be applied to all users or only to sensitive admin roles. Service principals and applications are not covered by this policy. 


If you enable the setting and sign-ins are blocked by the policy, Sign-In from Unauthorized Country will not alert you of login attempts.


Setting values


In the Set section, you can configure one of the following options when you apply the setting:


  • All Users: the policy will be applied to all users in your organization (inlcuding admin roles). To apply this value, you need to select authorized countries.
  • Admin Users: the policy will only be applied to sensitive admin roles*. To apply this value, you need to select authorized countries. 
  • Disabled: no policy is applied. If this value is selected and a policy previously existed, Office Protect will remove it.
  • Custom Policy (Ignore): We will not monitor nor attempt to modify the organization’s Block Sign-in from Unauthorized Countries policy. We recommend using this if you prefer using a customized policy, so Office Protect does not overwrite your customization.




*Sensitive admin roles:

  • Application Administrators
  • Application Developer
  • Authentication Administrator
  • Authentication Policy Administrator
  • Azure DevOps Administrator
  • Azure Information Protection Administrator
  • Billing Administrator
  • Cloud App Security Administrator
  • Cloud Application Administrator
  • Cloud Device Administrator
  • Compliance Administrator
  • Conditional Access Administrator
  • Directory Readers
  • Directory Writers
  • Domain Name Administrator
  • Dynamics 365 Administrator
  • Exchange Administrator
  • External ID User Flow Administrator
  • External Identity Provider Administrator
  • Fabric Administrator
  • Global Administrator
  • Global Reader
  • Global Secure Access Administrator
  • Groups Administrator
  • Guest Inviter
  • Helpdesk Administrator
  • Identity Governance Administrator
  • License Administrator
  • Network Administrator
  • Office Apps Administrator
  • Password Administrator
  • Permissions Management Administrator
  • Power Platform Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Reports Reader
  • Security Administrator
  • Security Operator
  • Security Reader
  • Service Support Administrator
  • SharePoint Administrator
  • Skype for Business Administrator
  • Teams Administrator
  • Teams Communications Administrator
  • Teams Communications Support Engineer
  • Teams Communications Support Specialist
  • Teams Devices Administrator
  • Tenant Creator
  • User Administrator 
  • Windows 365 Administrator 
  • Yammer Administrator 

Roles details


This setting can be found in the Entra ID admin portal > Protection > Conditional Access > Policies

What is Conditional Access