Process - Conditional Access for Work from home outside of the UK and Ireland
Staff who wish to work from outside the UK and Ireland, for short periods of time, must complete a Working From Abroad request form which is available on the Security Services Portal. The request must to be supported by the requesters line manager and approved by the relevant ELT member before Cyber Team can action the request.
The activation and deactivation of remote working is handled by Cyber Team who will actively manage it from the day before the person leaves to the day after they return.
------
Cyber Security receives tickets via the security portal for users who request to work from abroad.
In the 365 Azure Tenant there are Conditional Access rules which block CLOUD (ex. Exchange, SSO) logins if the user is attempting to log in from a non-exempted country. This is to mitigate logins and malicious brute force attacks from these non-exempted country.
Additionally, to assist Microsoft's automated security, risk and behavior analysis, Cyber Security needs to update the work location in AAD/Entra ID to the country that they will be working in. This will help lessen false positive security alerts.
NOTE: As requests can sometimes be approved months in advance, when a request has been approved by the relevant ELT member, the Cyber Team should create calendar invites for the start and end dates of the work from abroad period and send it to the other team members. This serve as a reminder in the team members calendars.
Countries already in Conditional Access Exception List
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Gibraltar, Greece, Guernsey, Hungary, Ireland, Isle of Man, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom
Process
1. Usage Location
1. Go to Entra ID - Users - https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
2. Search for the User and select User
3. Click on Edit Properties
4. Update Usage Location to Destination and Save
2. Conditional Access
1. Check that the country is on the Exception List, If not, proceed with the following:
2. Go to Conditional Access in the 365 Azure Tenant - https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview
3. Go to Policies
4. Select “Conditional Access – GeoBlock”
5. Select "All users included and specific users excluded”
6. Select "Exclude”
7. Click on “X users”
8. Search for the user, check their checkbox and then click on select.
9. Save the changes
____________________________________________________________________________________________________________
When the user is back in the UK, Cyber Security need to remove the user from the Conditional Access exception list and change the Usage Location back to the UK.
1. Go to Entra ID - Users - https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
2. Search for the User and select User
3. Click on Edit Properties
4. Update Usage Location back to United Kingdom and Save
1. Go to Conditional Access in the 365 Azure Tenant - https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview
2. Go to Policies
3. Select “Conditional Access – GeoBlock”
4. Select "All users included and specific users excluded” then click on “Exclude”
5. Click on the 3 dots next to the user, then remove
6. Save the changes
