How can I use policy and variable overrides to block access from specific geographies for individual accounts?
You can create a global Conditional Access policy in Microsoft Intune, integrated with Nerdio Manager for MSP, to block access from specific geographic locations. By using a location variable, you can define a policy template, deploy it across multiple customer accounts, and manage it centrally for scalability.
For this, complete the following steps:
Important! Policies are created in a “golden” tenant or within a customer’s Microsoft Intune environment, and then imported to Nerdio Manager. You can convert these policies to templates, deploy to customer accounts, and customize them to meet specific requirements. This helps prevent misconfiguration and reduces administrative effort.
Prerequisites
Ensure the following prerequisites are met:
Modern Work features enabled in your customer account(s). This is required for policy management.
Microsoft 365 Business Premium or higher, which includes Entra ID P1.
A "golden" tenant Microsoft Intune environment for policy creation and import in Nerdio Manager.
A named location (e.g., BlockedCountries) defined in Microsoft Intune.
A Conditional Access policy that references this named location in its Block condition.
Step 1: Create a named location and policy in Microsoft Intune
First, create a named location and the template policy in your Microsoft Intune admin center.
To create the named location and policy:
Sign in to Microsoft Intune admin center.
-
Create the named location:
Navigate to Endpoint Security > Conditional Access > Named locations.
-
Select + Countries location.
-
In the New location (Countries) pane, provide the following information:
Name: Enter a name, such as BlockedCountries, or any other name that meets your requirements.
Countries/Regions: Select the countries you wish to block initially. For details, see Reference: Country codes based on security risk levels.
-
Select Create.
-
Create a policy template to be assigned globally (to all customer accounts and users):
-
Navigate to Conditional Access > Policies, and select + New policy.
-
Enter the following information:
-
Name: Enter Global_Block_HighRiskCountries or [GLOBAL] [ALL USERS] Block Access from High-Risk Countries.
Example breakdown:
[GLOBAL]: Applies to all tenants.
[ALL USERS] : Applies to all users.
Title: Purpose of policy.
Users and groups: Select a group, pilot group, or users that you wish to assign.
Cloud apps or actions: Select All cloud apps.
Conditions: Under Locations, select Include > Selected locations, and then select the named location you created.
Grant: Select Block Access.
Enable policy: Set the policy to Report-only mode.
-
-
Select Create.
-
Step 2: Import the policy to Nerdio Manager
The next step is to import your template policy to Nerdio Manager for centralized management. The location variable, included in that policy, is also imported to Nerdio Manager.
In Nerdio Manager, at the MSP level, navigate to Policy Management > Conditional Access.
-
Select Import.
-
In the Import policies dialog box, provide the following information:
MSP: From the first drop-down list, select the tenant to import the policy from.
Available policy: Select your [Global] [ALL USERS] Block Access from High-Risk Countries policy.
Tags: Optionally, assign a tag for filtering.
-
Changelog: Enter a note like v1 - initial import.
Select Import.
Note: Once the policy is imported, the associated location variable becomes available in Nerdio Manager, under Settings > Variables > Location Variables.
To verify the name of the location variable:
Navigate to Policy Management > Conditional Access.
From the action menu next to the imported policy, select Edit.
-
On the Settings tab, locate and verify the variable name.
Step 3: Modify the imported location variable
Location variables in Nerdio Manager let you define reusable values (such as geographic regions or named locations) at the global MSP level, and apply them across customer accounts and policies. Creating these variables centrally lets you manage the list of blocked countries for all assigned customers from one place in Nerdio Manager.
If customization is needed, you can override this variable at the customer account level as described in Step 5: Adjust the variable for a customer account.
To modify the country list in the variable:
In Nerdio Manager, at the MSP level, navigate to Settings > Integrations.
-
In the Variables tile, find the location variable that corresponds to your named location. For example, BlockedCountries - [Global] StrictNoAccessCountryList.
Note: The location variable is imported directly from Microsoft, given a randomly assigned name and a unique identifier. It cannot be modified.
Next to the variable, select edit.
-
In the Edit location variable dialog box, do the following:
Display name: Optionally, update the variable name to be displayed in the named location.
Countries/Regions: Add or remove country codes. Use the comma-separated country codes from the reference table in Reference: Country codes based on security risk levels.
-
Select Save.
This change applies to the Conditional Access policy and affects all customer accounts where the policy is assigned and hasn't been overridden.
Step 4: Assign the policy to customer accounts
Finally, assign the global, MSP-level policy to your customer account(s).
To assign the policy to a customer account:
In Nerdio Manager, at the MSP level, navigate to Policy Management > Conditional Access.
-
Find your [Global] Block Access from High-Risk Countries policy and select Assign next to it.
On the Assignments tab, select Add assignments.
-
In the new dialog box, select the customer account(s) you wish to assign this policy to.
-
Select one of the following:
Overwrite: To update an existing assignment, given it already exists.
Add: To create a new assignment.
Select Confirm.
-
Define the following options based on your current phase:
-
State: Select whether you want the policy to be Report Only, Enabled, Disabled, or Keep policy state as in source.
Tip: For testing purposes, select Report Only.
Sync Type: Select Manual.
Direct Assign: Select Custom. This sets the group membership to None. Assignments must be made within the customer account.
-
Version: Select Latest or your current version.
-
Select Apply and Close.
Step 5: Adjust the variable for a customer account
Adjust the variable in your customer account to override the MSP-level value and reflect a unique list of countries.
To adjust the variable for a customer account:
At the account level, navigate to Settings > Integrations.
In the Variables tile, next to the variable you wish to adjust, select override.
-
In the new dialog box, in the Value field, specify a custom country list that applies only to this customer account.
-
Remove or add country codes based on the country list in Reference: Country codes based on security risk levels, then follow the Managing Conditional Access Policy template.
Tip: Use CTRL+F to find the required country code.
-
Select Re-publish policies assigned to this customer that contain this variable to rebuild the policies for this customer account. Only policies that contain this variable are rebuilt.
Note that clearing this option automatically removes the following option.
-
Select Also re-publish policies that have manual sync enabled to enforce this policy replication to the tenant, and activate it manually.
The following JSON is configured to block High and Moderate countries from the reference table below.
-
Navigate back to Named locations and verify the country code is added or removed from the list.
Note: It may take a few minutes to sync back to the Microsoft Admin Center.
Reference: Country codes based on security risk levels
This reference table provides a comprehensive list of countries along with their corresponding country codes and assigned security risk levels.
Country name |
Country code |
Risk level |
|---|---|---|
Afghanistan |
AF |
High |
Angola |
AO |
High |
Armenia |
AM |
High |
Bangladesh |
BD |
High |
Bolivia |
BO |
High |
Brazil |
BR |
High |
Burkina Faso |
BF |
High |
Burundi |
BI |
High |
Cameroon |
CM |
High |
Central African Republic |
CF |
High |
Chad |
TD |
High |
Colombia |
CO |
High |
Democratic Republic of the Congo |
CD |
High |
Ecuador |
EC |
High |
Egypt |
EG |
High |
El Salvador |
SV |
High |
Eritrea |
ER |
High |
Ethiopia |
ET |
High |
Guatemala |
GT |
High |
Guinea-Bissau |
GW |
High |
Haiti |
HT |
High |
Honduras |
HN |
High |
Iran |
IR |
High |
Iraq |
IQ |
High |
Israel |
IL |
High |
Jamaica |
JM |
High |
Kenya |
KE |
High |
Lebanon |
LB |
High |
Libya |
LY |
High |
Mali |
ML |
High |
Mexico |
MX |
High |
Mozambique |
MZ |
High |
Myanmar |
MM |
High |
Nicaragua |
NI |
High |
Niger |
NE |
High |
Nigeria |
NG |
High |
North Korea |
KP |
High |
Pakistan |
PK |
High |
Palestinian Territories |
PS |
High |
Papua New Guinea |
PG |
High |
Philippines |
PH |
High |
Russia |
RU |
High |
Somalia |
SO |
High |
South Africa |
ZA |
High |
South Sudan |
SS |
High |
Sudan |
SD |
High |
Syria |
SY |
High |
Trinidad and Tobago |
TT |
High |
Turkey |
TR |
High |
Ukraine |
UA |
High |
Venezuela |
VE |
High |
Western Sahara |
EH |
High |
Yemen |
YE |
High |
British Virgin Islands |
VG |
High |
Albania |
AL |
Moderate |
Argentina |
AR |
Moderate |
Azerbaijan |
AZ |
Moderate |
Bahamas |
BS |
Moderate |
Bahrain |
BH |
Moderate |
Belize |
BZ |
Moderate |
Benin |
BJ |
Moderate |
Bosnia and Herzegovina |
BA |
Moderate |
Bulgaria |
BG |
Moderate |
Cambodia |
KH |
Moderate |
China |
CN |
Moderate |
Comoros |
KM |
Moderate |
Cote d’lvoire |
CI |
Moderate |
Cuba |
CU |
Moderate |
Curacao |
CW |
Moderate |
Djibouti |
DJ |
Moderate |
Dominican Republic |
DO |
Moderate |
Equatorial Guinea |
GQ |
Moderate |
Eswatini |
SZ |
Moderate |
French Guiana |
GF |
Moderate |
Gambia |
GM |
Moderate |
Georgia |
GE |
Moderate |
Greece |
GR |
Moderate |
Guadeloupe |
GP |
Moderate |
Guyana |
GY |
Moderate |
Hong Kong |
HK |
Moderate |
India |
IN |
Moderate |
Indonesia |
ID |
Moderate |
Kazakhstan |
KZ |
Moderate |
Kosovo |
XK |
Moderate |
Kuwait |
KW |
Moderate |
Kyrgyzstan |
KG |
Moderate |
Laos |
LA |
Moderate |
Lesotho |
LS |
Moderate |
Liberia |
LR |
Moderate |
Madagascar |
MG |
Moderate |
Malawi |
MW |
Moderate |
Malaysia |
MY |
Moderate |
Maldives |
MV |
Moderate |
Martinique |
MQ |
Moderate |
Mauritania |
MR |
Moderate |
Mayotte |
YT |
Moderate |
Moldova |
MD |
Moderate |
Montenegro |
ME |
Moderate |
Morocco |
MA |
Moderate |
Nepal |
NP |
Moderate |
New Caledonia |
NC |
Moderate |
Panama |
PA |
Moderate |
Paraguay |
PY |
Moderate |
Peru |
PE |
Moderate |
Puerto Rico |
PR |
Moderate |
Republic of the Congo |
CG |
Moderate |
Réunion |
RE |
Moderate |
Romania |
RO |
Moderate |
Saint Kitts and Nevis |
KN |
Moderate |
Saint Lucia |
LC |
Moderate |
Saint Martin |
MF |
Moderate |
Saint Vincent and the Grenadines |
VC |
Moderate |
Saudi Arabia |
SA |
Moderate |
Serbia |
RS |
Moderate |
Sierra Leone |
SL |
Moderate |
Sint Maarten |
SX |
Moderate |
Solomon Islands |
SB |
Moderate |
Sri Lanka |
LK |
Moderate |
Suriname |
SR |
Moderate |
Tajikistan |
TJ |
Moderate |
Tanzania |
TZ |
Moderate |
Thailand |
TH |
Moderate |
Timor-Leste |
TL |
Moderate |
Togo |
TG |
Moderate |
Tunisia |
TN |
Moderate |
Turkmenistan |
TM |
Moderate |
Turks and Caicos Islands |
TC |
Moderate |
Uganda |
UG |
Moderate |
Uzbekistan |
UZ |
Moderate |
Vietnam |
VN |
Moderate |
Zambia |
ZM |
Moderate |
Zimbabwe |
ZW |
Moderate |
Andorra |
AD |
Low |
United Arab Emirates |
AE |
Low |
Antigua and Barbuda |
AG |
Low |
Australia |
AU |
Low |
Austria |
AT |
Low |
Barbados |
BB |
Low |
Belgium |
BE |
Low |
Bermuda |
BM |
Low |
Bhutan |
BT |
Low |
Bonaire |
BQ |
Low |
Botswana |
BW |
Low |
British Indian Ocean Territory |
IO |
Low |
Brunei |
BN |
Low |
Canada |
CA |
Low |
Cayman Islands |
KY |
Low |
Chile |
CL |
Low |
Christmas Island |
CX |
Low |
Cocos Islands |
CC |
Low |
Cook Islands |
CK |
Low |
Costa Rica |
CR |
Low |
Croatia |
HR |
Low |
Cyprus |
CY |
Low |
Czech Republic |
CZ |
Low |
Denmark |
DK |
Low |
Dominica |
DM |
Low |
Estonia |
EE |
Low |
Falkland Islands |
FK |
Low |
Faroe Islands |
FO |
Low |
Fiji |
FJ |
Low |
Finland |
FI |
Low |
France |
FR |
Low |
French Polynesia |
PF |
Low |
French Southern Territories |
TF |
Low |
Germany |
DE |
Low |
Ghana |
GH |
Low |
Gibraltar |
GI |
Low |
Greenland |
GL |
Low |
Grenada |
GD |
Low |
Guam |
GU |
Low |
Guernsey |
GG |
Low |
Holy See |
VA |
Low |
Hungary |
HU |
Low |
Iceland |
IS |
Low |
Ireland |
IE |
Low |
Isle of Man |
IM |
Low |
Italy |
IT |
Low |
Japan |
JP |
Low |
Jersey |
JE |
Low |
Jordan |
JO |
Low |
Kiribati |
KI |
Low |
South Korea |
KR |
Low |
Latvia |
LV |
Low |
Liechtenstein |
LI |
Low |
Lithuania |
LT |
Low |
Luxembourg |
LU |
Low |
Macao |
MO |
Low |
Malta |
MT |
Low |
Marshall Islands |
MH |
Low |
Mauritius |
MU |
Low |
Micronesia |
FM |
Low |
Monaco |
MC |
Low |
Mongolia |
MN |
Low |
Montserrat |
MS |
Low |
Namibia |
NA |
Low |
Nauru |
NR |
Low |
Netherlands |
NL |
Low |
New Zealand |
NZ |
Low |
Niue |
NU |
Low |
Norfolk Island |
NF |
Low |
Northern Mariana Islands |
MP |
Low |
Norway |
NO |
Low |
Oman |
OM |
Low |
Palau |
PW |
Low |
Pitcairn |
PN |
Low |
Poland |
PL |
Low |
Portugal |
PT |
Low |
Qatar |
QA |
Low |
Rwanda |
RW |
Low |
Saint Barthelemy |
BL |
Low |
Saint Helena |
SH |
Low |
Saint Pierre and Miquelon |
PM |
Low |
Samoa |
WS |
Low |
San Marino |
SM |
Low |
Sao Tome and Príncipe |
ST |
Low |
Seychelles |
SC |
Low |
Singapore |
SG |
Low |
Slovakia |
SK |
Low |
Slovenia |
SI |
Low |
Spain |
ES |
Low |
Svalbard |
SJ |
Low |
Sweden |
SE |
Low |
Switzerland |
CH |
Low |
Taiwan |
TW |
Low |
Tokelau |
TK |
Low |
Tonga |
TO |
Low |
Tuvalu |
TV |
Low |
United Kingdom |
GB |
Low |
Uruguay |
UY |
Low |
US Minor Outlying Islands |
UM |
Low |
Vanuatu |
VU |
Low |
Wallis and Futuna |
WF |
Low |
Comments (0 comments)