Exploring Conditional MFA with Azure - Part 3

Part 1, Part 2, Part 4

Let’s look at a few policy examples. Hopefully these examples can be used and modified to meet your needs with certain scenarios. The first example solves the question of “How can I block ANY activity for ALL users from a certain country?”. We will configure China, Russia, Japan, and Romania for this example.

The assignments are all users, all cloud apps, and all device states (again, wide net catches all). For locations, we selected the countries we want the policy to apply to.

The wide net is also used for client apps:

Now, let’s move onto Access controls. Obviously, we want to configure a Block control. 

That is the policy. Feel free to save and run some What If tests before enabling. You can adjust this policy to require MFA for logins in certain countries, block designated apps in certain countries, etc…

Next, we will look at the scenario of triggering based on the user being outside of the US. First, we will create a new named location that includes all countries with the exception of United States and Unknown. I named this location “Outside of the US”. With the creative naming part of my brain exhausted, I really should investigate marketing as a career. Now that the named location is created, we can move to the policy settings. For Conditions select the named location under the Locations.

For client apps we are going to block browser, mobile apps, and desktop clients. 

In the Cloud apps area within Assignments we will select whatever apps we want to be controlled by this policy. All cloud apps or a granular selection of apps can be done. For the Grant configuration under Access controls we will block access.

This policy could be done to cherry pick a certain application to be blocked outside of the US. This could be for company policy reason or maybe compliance reasons. In Part 4, we are going to take a closer look at the end user experience for Azure Multi Factor Authentication.