In today's globally connected environment, protecting user identities is more important than ever. For organizations operating primarily in Europe, a smart way to reduce exposure to cyber threats is to restrict access based on geographic location, specifically, blocking access from high-risk regions like Russia, China, Iran, and other non-European countries.
With Microsoft Entra ID (formerly Azure AD), you can enforce this through Conditional Access policies, a core capability in modern identity security strategies.
🚧 Why Geo-Based Blocking Matters
Many credential stuffing attacks, brute-force attempts, and reconnaissance activities originate from specific global regions known for persistent threat actor activity. If your users don't travel or operate from these areas, blocking sign-ins from them reduces the attack surface significantly.
This is not about discrimination, it's about pragmatic risk reduction.
Additionally, geo-based Conditional Access can be used to control and monitor where users are accessing your environment from:
- 🏖️ During holidays, it can help detect or restrict logins from unusual countries
- 📍 From a compliance perspective, it enforces company policy on remote work boundaries (e.g., EU-only access for GDPR-regulated environments)
⚠️ Important Limitation: Geo-Blocking Is Not Foolproof
While country-based Conditional Access policies are an effective way to reduce exposure to opportunistic threats and automated attacks, they do not stop determined threat actors (APTs).
Many advanced persistent threats originate from the same country as the organisation they target, or route their attacks through compromised infrastructure in “allowed” regions (e.g., Europe or whatever).
This means:
- 🕵️ Attackers can still use VPNs, proxies, or compromised accounts inside your region.
- 🚫 Blocking China, Russia, Iran, etc., won't stop attackers who have already gained access or who operate from trusted countries.
🔒 Use geo-blocking as one layer in a broader Zero Trust strategy, combining:
- 🔑 Multi-Factor Authentication (MFA) or passkeys
- 💻 Device compliance checks
- 📊 Risk-based access controls
- 🧯 Defender for Identity / Endpoint
- 📝 Strong identity governance (PIM, access reviews)
🛠️ How to Block All Countries Except Europe
Here’s how you can configure a Conditional Access policy in Microsoft Entra ID to allow sign-ins only from European countries:
1. Assumptions
- Microsoft Entra ID Premium P1 or P2 is licensed.
- Geo-location is based on the public IP address of the sign-in.
- You already have user groups and roles defined.
2. Step-by-Step Guide
Step 1 – Define Named Locations
- Log into https://entra.microsoft.com
- Navigate to: Protection > Conditional Access > Named locations
- Click + Country location
- Name:
Allowed - Europe - Select countries:
- Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France
- Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta
- Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland
- Check: ✅ Include unknown countries/regions
- Click Save
Step 2 – Create Conditional Access Policy
- Go to: Protection > Conditional Access
- Click + New policy
- Name:
Block Access from Risky Countries - Assignments:
- Users or workload identities: Select All users (or pilot group during testing)
- Cloud apps or actions: Select All cloud apps
- Conditions:
- Locations:
- Include: Any location
- Exclude: Allowed - Europe (the location from Step 1)
- Locations:
- Access controls:
- Grant: Block access
- Enable policy: Report-only mode initially → Switch to On after validation
- Click Create
3. Best Practice Considerations
| Aspect | Recommendation |
|---|---|
| Test Group | Apply to pilot/test group before organisation-wide rollout |
| Exclude Admin Break Glass | Ensure break-glass accounts are excluded from policy |
| Sign-in Logs | Monitor via Entra ID logs → filter by country |
| VPN & Cloud Egress | Be cautious with corporate VPNs or proxy egress locations |
| Emergency Access | Maintain accounts with no CA policies for emergency use |
4. Optional Enhancements
- Use Conditional Access Templates: Microsoft now provides policy templates.
- Leverage Risk-Based CA (requires P2): Block risky sign-ins (anonymous IPs, TOR, leaked credentials).
- Integrate Defender for Cloud Apps: Enforce session controls even within Europe.