UNBLOCK a Requestor from Logins at Blocked Locations


The quickest way to allow a User Or Azure Endpoint Device to roam globally, is to ADD that entity to our defined Security Groups

  • SG_Traveling_Users - Add Requesters currently in Travel
  • SG_Traveling_Devices - Add Intune Devices currently in Travel, to authorize a device exception regardless of user


These groups are added as excludes in the conditional policy, and makes it easy to avoid mistaken edits to the Company-wide Policy.
Performing these changes manually is described below for reference. 


Policy changes are immediately effective and cannot be scheduled automatically.
Policy Changes should be made on the end-of-business of the day prior to the Start of Travel Date

and at end-of-business on the day notified as the End of Travel Date.



UNBLOCK a Country from Blocked Locations


  1. Go to Microsoft Entra Named Locations

  2. Review the Countries List and UNCHECK the Country of Travel. 
    When Travel concluded, CHECK (re-Block) that Country.


This setting blocks IP addresses with a registered location in that country/region from access to into Microsoft 365.
This level of exclusion or inclusion applies to all accounts and not a single Requestor or Connected Device.
This policy defines the outer overall boundary limit for all connections with Randolph. 



Enabling a User to Roam Globally


If a Requestor is traveling across the globe (several countries), they can be EXCLUDED as a user.
This approach avoids global access exposure to all other accounts in the Domain.


  1. Go to Microsoft 365 Admin to update the Deny Access from Blocked Locations Conditional Access Policy
    Policy Link




  2. Extend the USERS list to include the Traveler, then Remove them at the conclusion of their Travels.




This option should be used for users who are often or always on global travel (sales, etc.)