How to block all countries from attempting to login besides the US with conditional Access

Question

How to block all countries from attempting to login besides the US with conditional Access

James A. Spellman 0

I could use some guidance in blocking Attempted failed login from other countries or IP addresses

Rukmini 39,110 Reputation points Microsoft External Staff Moderator

2025-12-11T22:28:41.1866667+00:00
Hey James A. Spellman! It sounds like you're looking to set up a Conditional Access policy to block login attempts from any countries outside the US. This is a smart move to enhance security. Here’s how you can do it:

Steps to Block Access from Other Countries:

Sign in to the Microsoft Entra Admin Center: Ensure you have the necessary permissions (Conditional Access Administrator, Security Administrator, or Global Administrator).

Create Named Locations:

Navigate to Microsoft Entra ID > Security > Conditional Access > Named locations.

Select Countries location and enter a name (e.g., "Allowed USA").

Choose United States from the available countries and select Create.

Create a Conditional Access Policy:

Go to Policies under Conditional Access.

Select New policy.

Give your policy a meaningful name (e.g., "Block Non-US Access").

In Assignments, choose Users or workload identities and select All users (make sure to exclude any emergency access accounts).

In Cloud apps or actions, select All cloud apps.

Under Conditions, look for Locations. Set this to Selected locations, and include the named location you just created (the US).

For Access controls, under the Grant section, select Block access.

Review and Enable the Policy:

Initially set the policy to Report-only mode to evaluate its impact without enforcing it.

After confirming the settings, switch the toggle to On for enforcement.

Important Considerations:

Emergency Access Accounts: Make sure to exclude break-glass accounts to avoid getting locked out.

Testing the Policy: Use the What-If Tool in the Microsoft Entra admin center to test how the policy would affect users trying to sign in from different locations.

IPv6 Support: Keep in mind that the location condition only maps based on IPv4 addresses, so ensure your policies consider any IPv6 configurations as applicable.

Additional Resources:

Block access by location

Microsoft Entra ID Conditional Access overview

What-If Tool Documentation

Hope this helps you set up your Conditional Access policy effectively! If you have any more questions or need further assistance, feel free to ask!
Rahul Jindal 11,631 Reputation points

2025-12-12T04:08:49.7333333+00:00

The easiest way is to create a named location for US and exclude it from locations in the CA policy with a block action against all cloud apps. This will ensure that all sign-in requests originating outside of US are getting blocked. Please test this as the named location is managed by Microsoft for IP to country mapping.
James L. Johnson 5 Reputation points

2026-01-16T19:27:52.15+00:00

I want to clarify that I can add all users, guest and members, to the Include list. Then, add a few glass-break accounts such as my administrator account. Next I add my administrator account to the exclude list, and I am still excluded from the policy even though I was added to the include list in the first step above, right?
Abdul Ghaffar 0 Reputation points

2026-05-06T09:46:53.25+00:00

yeah this is good guide by moderator just wanna add small thing from my side sometimes blocking full countries only with conditional access not 100% stop “attempted” sign-ins in logs, it mainly blocks access after attempt. so you may still see failed login tries from other countries in sign-in logs, this is normal behavior. if goal is reduce noise + better security, you can also: use “sign-in risk policy” + “user risk policy” with block/high risk enable MFA for all users (very important) use named locations + also mark trusted locations check Azure AD Identity Protection (if license available) also make sure report-only test properly before enable, many people lock themselves out

1 answer

Your answer

Rahul Jindal 11,631 Reputation points

2025-12-12T04:08:49.7333333+00:00

The easiest way is to create a named location for US and exclude it from locations in the CA policy with a block action against all cloud apps. This will ensure that all sign-in requests originating outside of US are getting blocked. Please test this as the named location is managed by Microsoft for IP to country mapping.
James L. Johnson 5 Reputation points

2026-01-16T19:27:52.15+00:00

I want to clarify that I can add all users, guest and members, to the Include list. Then, add a few glass-break accounts such as my administrator account. Next I add my administrator account to the exclude list, and I am still excluded from the policy even though I was added to the include list in the first step above, right?
Abdul Ghaffar 0 Reputation points

2026-05-06T09:46:53.25+00:00

yeah this is good guide by moderator just wanna add small thing from my side sometimes blocking full countries only with conditional access not 100% stop “attempted” sign-ins in logs, it mainly blocks access after attempt. so you may still see failed login tries from other countries in sign-in logs, this is normal behavior. if goal is reduce noise + better security, you can also: use “sign-in risk policy” + “user risk policy” with block/high risk enable MFA for all users (very important) use named locations + also mark trusted locations check Azure AD Identity Protection (if license available) also make sure report-only test properly before enable, many people lock themselves out

Answer 1

To block all countries except the US from attempting to log in using Conditional Access in Microsoft Entra, you can follow these steps:

Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
Navigate to Entra ID > Conditional Access > Named locations.
Create a new named location:
- Choose Countries/Regions as the type of location.
- Name your location (e.g., "Allowed Countries").
- Select United States from the list of countries.
Create a new Conditional Access policy:
- Go to Policies and select New policy.
- Under Assignments, choose Users and groups to specify who this policy applies to.
- Under Cloud apps or actions, select the applications you want to protect.
- Under Conditions, select Locations and include the named location you created (the US) and exclude all other locations.
Set the Access controls to Block access for all other countries.
Enable the policy and monitor its effectiveness.

This setup will ensure that only users attempting to log in from the US can access the specified applications, while all other countries will be blocked.

References:

Share via

How to block all countries from attempting to login besides the US with conditional Access

Steps to Block Access from Other Countries:

Important Considerations:

Additional Resources:

1 answer

Your answer