CA Policy for CorpServiceAccounts in Unknown Locations
An Azure AD Conditional Access Policy to block CorpServiceAccounts in unknown or untrusted locations.
Suggested name:
CA8{XX}-BaseProtection-IdentityProtection-AllApps-UnknownLocation-Block
Assignments
Users
| Users and groups | |
|---|---|
| Include users | CA-Persona-CorpServiceAccounts |
| Exclude users | Break-glass (emergency access) accounts |
Cloud apps or actions
| Cloud apps | |
|---|---|
| Include | All cloud apps |
Conditions
| Location | |
|---|---|
| Include | Any Location |
| Exclude | Trusted locations* |
* Optionally, exclude specific named locations.
Define specific public IPs with a /32 in Named Locations.
Access controls
| Block Access |
|---|
| No additional control selection |
References
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common