Share via

Create Conditional Access Policy to block Impossible Travel

rr-4098 1,501 Reputation points
2024-07-27T10:01:36.5366667+00:00

I an trying to setup a Conditional Access policy to block impossible travel as listed in the article below.

When I get to step 12, there is no option to select Impossible travel. I have all the required licenses to support Conditional Access policies. What am I missing???

https://vijilan.com/blog/strengthening-microsoft-365-security/

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,751 questions
0 comments
Accepted answer
  1. Raja Pothuraju 6,440 Reputation points Microsoft Vendor
    2024-07-29T19:54:34.3933333+00:00

    Hello @rr-4098,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it appears you are trying to create a conditional access policy to secure your tenant from risky sign-ins. You are following an article that mentions blocking "Impossible travel" at step 12. Up to this point, the instructions are accurate. At step 12, you should select "Block access" (no other options are necessary) and save the policy. This policy will block access for users flagged with a high sign-in risk level, though you can adjust the risk level based on your organization's policies.

    Creating a block policy will completely deny access to users who are classified as high-risk. In such cases, users will need to contact the IT helpdesk to have their access unblocked by dismissing the risk. To protect your organization, Microsoft recommends the following risk policy configurations:

    • User risk policy
      • Require a secure password change when user risk level is High. Microsoft Entra multifactor authentication is required before the user can create a new password with password writeback to remediate their risk.
    • Sign-in risk policy
    • Require Microsoft Entra multifactor authentication when sign-in risk level is Medium or High, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.

    You can refer to the following document for step-by-step instructions on setting up user risk policies and sign-in risk policies:

    User Risk Policy and Sign-in Risk Policy Setup

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kavya 0 Reputation points
    2024-07-27T12:53:53.2233333+00:00

    I think there is no direct option like 'impossible travel'. Risks such as risky IP address, impossible travel, and other 30+ risky factors are calculated under user risk/sign-in risk condition.

  2. Andy David - MVP 1.5L Reputation points MVP
    2024-07-28T14:40:41.8133333+00:00
  3. Andy David - MVP 1.5L Reputation points MVP
    2024-07-29T11:16:41.0833333+00:00

    If you want to block the risky logon, then the block based on the risk level

    User's image

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.