We have a geo-filtering conditional access policy deployed at all clients that blocks any sign in attempt from outside of the Approved Countries list. If a client is traveling internationally, they are required to inform us ahead of time so we can temporarily exclude them from this policy.
The “Vacation Mode” feature would allow technicians to schedule a temporary CA policy exclusion for the traveling user for the duration of their travel. This would have multiple benefits for us:
- We can schedule the exclusion ahead of time so we don't need to be around when the user leaves/returns to make the changes
- It removes human error from the equation (technicians forgetting to remove the exclusion)
Additionally, the "Vacation Mode" feature not only needs to adjust the CA policy in the tenant but also needs to temporarily accept drift on the CA policy in Nerdio at the same time. This is important because if my other feature request gets adopted (Conditional Access - User/Group Assignments), then if we use other tools to temporarily exclude the user from the CA policy (like CIPP, which we currently use), Nerdio would just overwrite it.
Lastly, this is a stretch goal for this request - Let's say a client, John Smith, informs us that he will be traveling to France & Germany next week. Our current workflow of excluding him from the geo-filtering CA policy doesn't just open up France & Germany for him; it opens up every country in the world. The "Vacation Mode" feature could go a step further and perform the following:
- When John Smith is scheduled to depart:
- Create a temporary Named Location that includes France & Germany
- Create a temporary CA policy that targets John Smith and blocks sign ins from any country except those on the Approved Countries list plus the temporary list created in step 1
- Exclude him from the geo-filtering CA policy
- When John Smith is scheduled to return:
- Remove him from the exclusion list on the geo-filtering CA policy
- Delete the temporary Named Location and CA policy
This would MASSIVELY improve the security posture of this workflow by ensuring that users are only allowed to access their account from a strict list of approved countries.
Comments (2 comments)