Control: Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
Configures auditing against a CIS Benchmark item.
Level: 2
CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.
Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.
Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v5.0 > Maximum Attestation Duration
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered > Attestation
- Azure > CIS v5.0
- Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered
- Azure > CIS v5.0 > 5 - Identity Services
- Azure > CIS v5.0 > 5 - Identity Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv5-0#/control/types/r050202
- tmod:@turbot/cis#/control/categories/v071201
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r050202"
Get Controls