GR 3: Conditional Access Policy for Cloud Console Access. (R) - Adding an Exclude Check

[MathesonSho]

Is your feature request related to a problem? Please describe. Client is failing this control as they do not meet the criteria of the primary evaluation. The Conditional access policy that ONLY ALLOWS connections from the NamedLocation of Canada: $locationBasedPolicies = $caps | Where-Object { $_.conditions.locations.includeLocations -in $validLocations.ID -and $_.state -eq 'enabled' }

See azure-cac-solution-v1.2.0\src\GUARDRAIL 3 CLOUD CONSOLE ACCESS\Audit

A clear and concise description of what the problem is. E.g. I'm always frustrated when [...] The client is meeting the logic using a 'deny' i.e., if it was written as ...

$locationBasedPolicies = $caps | Where-Object $_.conditionals.locations.excludelocations -in $validLocations.ID -and $_.state -eq 'enabled' }

.... then they would pass.

Describe the solution you'd like In order to ensure both approaches are accounted for could we an allow and a deny check. Included locations and excluded locations for the NamedLocation of Canada. Then there are two opportunities to meet this recommended control.

Describe alternatives you've considered Option 1: Add a check for the Deny All Except Canada logic after the current allow Canada only logic Option 2: Developer ideas?

Additional context

This control could be more robust in future iterations where we check for more than the above/ have new use cases.

[amrinderssc]

dropping an idea to be considered before implementation - exclude "Canada" and action block

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.