Try this first
- 1In Entra Named Locations create a Trusted set: NL, plus the countries where people actually work or regularly travel. Add fixed office IP ranges as Trusted IP.
- 2Build a Conditional Access policy Block sign-in from untrusted countries: all users (except break-glass), all cloud apps, condition Locations = Any location, exclude Trusted Named Locations, action Block.
- 3Run Report-only for two weeks first. Check sign-in logs for legitimate trips or VPNs and adjust the Trusted set.
- 4Add a separate policy for admin roles: only from Trusted Named Locations, even if travelling. Admins travel through VPN to the office.
- 5Add an exception for mobile apps using roaming data (Outlook mobile on a foreign carrier). Sometimes they sign in from an unexpected country via a carrier IP. That is not an attack, solve it through Trusted Devices instead of Trusted Locations.
When to bring us in
If you have freelancers or partners working from countries you do not trust, use a separate Conditional Access policy with stronger MFA (FIDO2) instead of a blanket block. Geo-blocking for that group usually creates more noise than it removes.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.