Blocking user logins by location can be an added layer of security to your environment. The following process will use Azure Active Directory conditional access to block access based on geographical location. For example, you are positive that nobody in your organization should be trying to login to select cloud applications from specific countries. You can follow the steps here to create a block rule on these locations. Please note that the locations are defined by IP Address so a VPN could bypass this rule, also, be careful with users that may travel. The process could also be used to only allow logins from locations inside your company.
Create a Named Location:
Login to Azure.
Select Azure Active Directory.
Under Security select Conditional Access > Named locations > New location.
Name it Blocked Countries, select Countries/Regions and check any countries you wish to block.
Create Conditional Access Policy:
Next go to Policies and select New policy.
Name the Policy Location Block.
Next under assignments select All users (or certain groups/users) that you want the policy to be applied.
Next select any cloud apps you want the policy to apply to and block access to the apps based on location. The example here uses all the Office 365 apps.
Next select conditions > Locations > Selected location > Blocked Countries. (What you named it earlier in the process.)
Under Access controls select to Block Access. Note: this rule can also be modified here to force multi-factor authentication rather than a block.
Enable policy and save and you are complete!
Important: note that under assignments where you selected users you can exclude certain users or groups seen here:
Users will see this message if they attempt to login from a blocked country.
