This blog will be about some issues we ran into when we deployed Conditional Access to make sure only devices that are located in trusted countries could access the company’s Microsoft 365 environment.
I will divide this blog into multiple parts.
Imagine this scenario: Your customer wants to migrate to Microsoft 365 but for now, without compliant devices. Somehow, you still want to protect their data.
One of the conditional access rules you’ll probably implement: “blocking access from foreign countries“
It’s not the best Conditional Access policy out there, but hey… It creates another barrier. But with this Conditional Access policy, you could run into some weird issues. Let me explain
2. The Issue
When you implement this policy without your devices being compliant, there is some possibility users are denied access. When users blame you for having no access, go check out the Azure sign-in logs because they’re probably right!
The picture above is very clear. It’s showing us Microsoft shows us a failure and the IPV6 address instead of the normal IPV4 address. It looks like Conditional Access doesn’t understand the IPV6 locations (for now). That’s odd… Why can’t Microsoft detect where the IPV6 location belongs to? All other IP finder tools certainly can!
3. The solution
I guess we have to live with it for now… There are 5 possible solutions to make the user happy again. Let me explain them to you!
- We could exclude the user from the Conditional Access policy. But in my opinion, that’s a bad idea
- We could exclude all IPV6 provider address ranges. Excluding them all could be a lot of work to maintain if every user has their own phone and a different provider)
- We could exclude the Cloud App: Exchange Online from this Conditional Access policy. But again, that’s a bad idea
- We could select “Include unknown countries/regions” as shown below. When selecting this option, it just simply means all ipv6 addresses. Okay…. Not bad/not good
- Go full Microsoft 365 when you can, and start requiring compliant devices. When choosing this option, you will need to create a “Filter for Devices” and make sure you are excluding those IsCompliant devices. This is, if possible, your best option.
As stated above, when choosing this option, your Mobile devices need to become compliant. To make those devices compliant, you will need to enroll them in Intune to make sure the compliant state could be measured!
Microsoft’s conditional access is not without its flaws. But if you slowly move towards a full-on Microsoft 365 environment with compliant devices, it can be a powerful solution to your customers IT challenges… As long as you keep security top of mind!