The named locations can be used in Conditional Access rules as a way to block or allow countries by IP address to geo-lookup database. Whilst not always accurate, and can be bypassed by VPN or a virtual machine in an allowed location, they do have their uses as a basic block to where services can be consumed from.
Unfortunately the list of countries is not easy to export (you cannot display just those selected or copy and paste easily from the list). So, these few lines of MSGraph PowerShell will export a list of the countries in alphabetical order from a named location called “Untrusted Countries”:
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations
# Get-MgIdentityConditionalAccessNamedLocation
$location = Get-MgIdentityConditionalAccessNamedLocation -Filter "DisplayName eq 'Untrusted Countries'"
$location.AdditionalProperties.countriesAndRegions | Sort
This will return a two-letter ISO code of each of the countries in the list. A longer version of the script, if you include a lookup for each two letter code will produce a better output. This example script only contains some countries and not all ~290 that exist. You need to add all the countries to your own script:
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations
# Get-MgIdentityConditionalAccessNamedLocation
$location = Get-MgIdentityConditionalAccessNamedLocation -Filter "DisplayName eq 'Untrusted Countries'"
$countries = $location.AdditionalProperties.countriesAndRegions | sort
$countryMissing = $false
$countryInfo = @{
"AL" = @("Albania", "8");
"AR" = @("Argentina", "32");
"AU" = @("Australia", "36");
"AT" = @("Austria", "40");
"BY" = @("Belarus", "112");
"BE" = @("Belgium", "56");
"BR" = @("Brazil", "76");
"BG" = @("Bulgaria", "100");
"CA" = @("Canada", "124");
"CL" = @("Chile", "152");
"CN" = @("China", "156");
"CO" = @("Colombia", "170");
"CR" = @("Costa Rica", "188");
"HR" = @("Croatia", "191");
"CZ" = @("Czech Republic", "203");
"DK" = @("Denmark", "208");
"EE" = @("Estonia", "233");
"FI" = @("Finland", "246");
"FR" = @("France", "250");
"DE" = @("Germany", "276");
"GR" = @("Greece", "300");
"HK" = @("Hong Kong", "344");
"HU" = @("Hungary", "348");
"IN" = @("India", "356");
"ID" = @("Indonesia", "360");
"IE" = @("Ireland", "372");
"IT" = @("Italy", "380");
"JP" = @("Japan", "392");
"KZ" = @("Kazakhstan", "398");
"KP" = @("Democratic People's Republic of Korea", "408");
"KR" = @("Republic of Korea", "410");
"LV" = @("Latvia", "428");
"LT" = @("Lithuania", "440");
"MY" = @("Malaysia", "458");
"MX" = @("Mexico", "484");
"ME" = @("Montenegro", "499");
"NL" = @("Netherlands", "528");
"NZ" = @("New Zealand", "554");
"NO" = @("Norway", "578");
"PK" = @("Pakistan", "586");
"PA" = @("Panama", "591");
"PE" = @("Peru", "604");
"PH" = @("Philippines", "608");
"PL" = @("Poland", "616");
"PT" = @("Portugal", "620");
"RO" = @("Romania", "642");
"RU" = @("Russian Federation", "643");
"SA" = @("Saudi Arabia", "682");
"RS" = @("Serbia", "688");
"SG" = @("Singapore", "702");
"SK" = @("Slovakia", "703");
"ZA" = @("South Africa", "710");
"ES" = @("Spain", "724");
"SE" = @("Sweden", "752");
"CH" = @("Switzerland", "756");
"TW" = @("Taiwan, Province of China", "158");
"TH" = @("Thailand", "764");
"TR" = @("Turkiye", "792");
"UA" = @("Ukraine", "804");
"AE" = @("United Arab Emirates", "784");
"GB" = @("United Kingdom", "826");
"US" = @("United States", "840");
"VN" = @("VietNam", "704")} # TODO: modify me
Write-Host "Found" $countries.Count "countries"
foreach ($country in $countries) {
try {
Write-Host $country","($countryInfo[$country])[0]
}
catch {
Write-Host $country
$countryMissing = $true
}
}
if ($countryMissing) {Write-Host "Some of the countries are not in the example list in script - update script to include these countries."}
Photo by Lara Jameson: https://www.pexels.com/photo/yellow-flag-pinned-in-brazil-8828319/
Leave a Reply