Skip to Content

How I Restrict Microsoft 365 Access by Country (And Why I Do It in Every Tenant)

4 January 2026 by
Jaspreet Singh

closeup photo of turned-on blue and white laptop computer

One of the first things I check when I log in to a new Microsoft 365 tenant is where users are allowed to sign in. Most tenants I see are wide open:

Any country. Any IP. Any time.

And that’s usually where the problems start. In this post, I’ll explain how I set up country-based access restrictions in Microsoft 365 using Microsoft Entra ID. I’ll also explain why I consider this a basic security step, not just an advanced option. This helps IT professionals feel assured that these steps protect their organization effectively.

Why I Care About Country-Based Restrictions

In real life, M365 attacks don’t come from next door. They come from:

  • Password spray attacks from overseas
  • MFA fatigue attempts at odd hours
  • Legacy authentication abuse
  • Automated sign-in attempts from countries the business has zero presence in

If a company only operates in Canada and the US, I always ask:

Why are we allowing sign-ins from 190 other countries? (Soligan, 2025)

Most of the time, there’s no good answer.

Before You Start (Important)

To do this properly, you need:

  • Microsoft Entra ID Premium P1 or P2
  • Security Defaults disabled
  • At least one break-glass admin account

If Security Defaults are still enabled, Conditional Access will not work. I also do not recommend using both simultaneously.

Step 1: Create Allowed Country Locations

I start by defining where sign-ins are allowed from.

  1. Go to Microsoft Entra admin centre

  2. Navigate to:

    1. Protection → Conditional Access → Named locations

  3. Click + Countries location

  4. Name it something clear:

    1. Block Sign-ins Outside Canada & US

Users

  • Include: All users

  • Exclude:

    • Break-glass admin account
    • Emergency access account

I always include this step. After locking myself out once, I learned how important it is.

Cloud Apps

  • Select all cloud apps

I keep this simple. If a user signs in, the policy will apply.

Conditions → Locations

  1. Set Configure = Yes
  2. Include: Any location

  3. Exclude:

    • Allowed Countries – Canada & US

This approach is straightforward and works well:

Block everything except where we actually operate

Access Controls

  • Select Block access

Enable Policy

At this point, I take extra care.

  • Set policy to Report-only
  • Monitor sign-in logs
  • Confirm nothing legitimate is being blocked
  • Then switch it to On

I always test before enforcing. Always.

What I Check After Enabling

After a few days, I review:

  • Sign-in logs
  • Blocked country trends
  • Any unexpected service account failures
  • VPN-related false positives

In most tenants, the results appear immediately. The amount of blocked unwanted activity drops quickly.

Common Mistakes I See

These show up again and again:

❌ Blocking without excluding break-glass accounts

❌ Turning it on without report-only testing

❌ Assuming MFA alone is enough

❌ Forgetting that attackers don’t need to “log in successfully” to cause damage. Country-based access does not replace MFA. Instead, it works alongside it.

How This Fits My Zero Trust Mindset

I don’t trust:

  • Location
  • Network
  • Or credentials alone

But I do treat unexpected geography as a high-risk signal. For SMBs especially, this control gives you:

  • Big security gains
  • Very little user friction
  • Immediate noise reduction (Soligan, 2025)

This is why I set it up for nearly every tenant I manage.

Final Thoughts

If your Microsoft 365 tenant still allows users to sign in from anywhere in the world, you are taking unnecessary risk. Country-based Conditional Access is:

  • Simple
  • Effective
  • Proven in real environments (Government data protection—earning and retaining the public’s trust with Microsoft 365, 2020)

This is not just theory. I use this approach regularly in real environments.



Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.


References

Soligan, R. (2025). Strengthening Enterprise Identity Security with Country-Based Blocking in Conditional Access. Microsoft Community Hub. https://techcommunity.microsoft.com/discussions/microsoft-entra/strengthening-enterprise-identity-security-with-country-based-blocking-in-condit/4423833

Soligan, R. (2025). Strengthening Enterprise Identity Security with Country-Based Blocking in Conditional Access. Microsoft Community Hub. https://techcommunity.microsoft.com/discussions/microsoft-entra/strengthening-enterprise-identity-security-with-country-based-blocking-in-condit/4423833

(January 7, 2020). Government data protection—earning and retaining the public’s trust with Microsoft 365. Microsoft Blog. https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/08/government-data-protection-earning-retaining-public-trust-microsoft-365/

Jaspreet Singh 4 January 2026
Share this post
Tags
Our blogs
Security Defaults vs Conditional Access – When to Switch