Block OFAC Countries
In case we have a requirement to block requests from certain countries , we can use conditional policy to achieve the same.
As a first step, we create a "named location" which has the list of countries we need to block all requests from.
Then we create a conditional access policy to use that country list to implement the block.
ALL users would be blocked from OFAC countries except the currently logged in user.
A useful website to look for ISO codes (among others) for countries is https://countrycode.org.
The PowerShell script to create the named location and conditional access policy for the block:
# Connect to AzureAD and get current logged in user
$TenantDetails = $NULL
$CurrentlyLoggedInUser = $NULL
$OnMicrosoftDomain = $NULL
$connection = $NULL
try {
$AzureADSession = Get-AzureADCurrentSessionInfo
$CurrentlyLoggedInUser = $AzureADSession.Account | select -ExpandProperty Id
Write-Host "Already connected to : $AzureADSession.TenantDomain as $CurrentlyLoggedInUser"
$CurrentUserId = Get-AzureADUser -Filter "UserPrincipalName eq '$CurrentlyLoggedInUser'" | select -ExpandProperty ObjectId
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
Write-Host "You're not connected to AzureAD. Connect now...";
Write-Host "You're not connected to AzureAD";
$connection = Connect-AzureAD
$AzureADSession = Get-AzureADCurrentSessionInfo
$CurrentlyLoggedInUser = $AzureADSession.Account | select -ExpandProperty Id
Write-Host "Connected to : $AzureADSession.TenantDomain as $CurrentlyLoggedInUser"
$CurrentUserId = Get-AzureADUser -Filter "UserPrincipalName eq '$CurrentlyLoggedInUser'" | select -ExpandProperty ObjectId
}
$NamedLocationPolicyName = "OFAC Countries"
$NamedLocationPolicy = Get-AzureADMSNamedLocationPolicy | Where-Object {$_.DisplayName -eq $NamedLocationPolicy}
if ($NamedLocationPolicy -eq $null)
{
# Create a named location policy which includes all the OFAC Countries.
$NamedLocationPolicy = New-AzureADMSNamedLocationPolicy -OdataType "#microsoft.graph.countryNamedLocation" -DisplayName $NamedLocationPolicyName -CountriesAndRegions "BY","BI","BA","CD","CF","CI","CN","CU","IQ","IR","KP","LR","MD","ME","MK","NI","RU","RS","SD","SS","SY","UA","VE","YE","ZW","AU" -IncludeUnknownCountriesAndRegions $false
Write-Host "Named location policy : " + $NamedLocationPolicyName + " has been created."
Write-Host "Countries included : " + $NamedLocationPolicyName.CountriesAndRegions
}else{
Write-Host "Named location policy : " + $NamedLocationPolicyName + " already exists."
Write-Host "Countries included : " + $NamedLocationPolicyName.CountriesAndRegions
}
# Create the conditional access policy to block access from all OFAC countries to all apps for all users except the currently logged in user
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "all"
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "all"
$conditions.Users.ExcludeUsers = $CurrentUserId
$conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition
$conditions.Locations.IncludeLocations = $NamedLocationPolicy.Id
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "block"
New-AzureADMSConditionalAccessPolicy -DisplayName "Block OFAC countries" -State "Enabled" -Conditions $conditions -GrantControls $controls
The conditional access policy is created.
The conditional access policy showing block condition for the location noted in the named location "OFAC Countries".