Process - Conditional Access for Work from home outside of the UK
**Addendum Feb, 2024. We have created a new service item in the Security Services Portal called "Activate Working Abroad" which changers the process slightly. Now when a user obtains permission from HR/Line Management we ask them to fill out the request which can be found here: Activate Remote Working : Marie Curie
The activation and deactivation of remote working is handled by Cybersecurity. Our relationship now changes so that we support the user's access directly while they work abroad - they can update us if they have any problems through the freshservice ticket (no need to go through IT).
The SNOW ticket will be modified in the coming months, or removed altogether. In the interim we can leave a note that the management of access has moved to cyber and if they report problems to IT they can be passed to cybersecurity@security.mariecurie.org.uk for attention.
This will be refined as IG work out how much information they want to collect and how decisions are made for permission. Cyber will take over the process when the decision has been made and will actively manage it from the day before the person leave to the day after they return.
------
Cyber Security receives tickets via the security portal for users who request to work from abroad.
In the 365 Azure Tenant there are Conditional Access rules which block CLOUD (ex. Exchange, SSO) logins if the user is attempting to log in from a non-exempted country. This is to mitigate logins and malicious brute force attacks from these non-exempted country.
Additionally, to assist Microsoft's automated security, risk and behavior analysis, Cyber Security needs to update the work location in AAD/Entra ID to the country that they will be working in. This will help lessen false positive security alerts.
Countries already in Conditional Access Exception List
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Gibraltar, Greece, Guernsey, Hungary, India, Ireland, Isle of Man, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom
Process
1. Usage Location
1. Go to Entra ID - Users - https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
2. Search for the User and select User
3. Click on Edit Properties
4. Update Usage Location to Destination and Save
2. Conditional Access
1. Check that the country is on the Exception List, If not, proceed with the following:
2. Go to Conditional Access in the 365 Azure Tenant - https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview
3. Go to Policies
4. Select “Conditional Access – GeoBlock”
5. Select "All users included and specific users excluded”
6. Select "Exclude”
7. Click on “X users”
8. Search for the user, check their checkbox and then click on select.
9. Save the changes
____________________________________________________________________________________________________________
When the user is back in the UK, Cyber Security need to remove the user from the Conditional Access exception list and change the Usage Location back to the UK.
1. Go to Entra ID - Users - https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
2. Search for the User and select User
3. Click on Edit Properties
4. Update Usage Location back to United Kingdom and Save
1. Go to Conditional Access in the 365 Azure Tenant - https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview
2. Go to Policies
3. Select “Conditional Access – GeoBlock”
4. Select "All users included and specific users excluded” then click on “Exclude”
5. Click on the 3 dots next to the user, then remove
6. Save the changes
