The named locations can be used in Conditional Access rules as a way to block or allow countries by IP address to geo-lookup database. Whilst not always accurate, and can be bypassed by VPN or a virtual machine in an allowed location, they do have their uses as a basic block to where services can be consumed from.
Unfortunately the list of countries is not easy to export (you cannot display just those selected or copy and paste easily from the list). So, these few lines of MSGraph PowerShell will export a list of the countries in alphabetical order from a named location called “Untrusted Countries”:
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations
# Get-MgIdentityConditionalAccessNamedLocation
$location = Get-MgIdentityConditionalAccessNamedLocation -Filter "DisplayName eq 'Untrusted Countries'"
$location.AdditionalProperties.countriesAndRegions | Sort
This will return a two-letter ISO code of each of the countries in the list. A longer version of the script, if you include a lookup for each two letter code will produce a better output. This example script does not list any country and all ~290 that exist will be needed in your own script. You can download the country array list from https://c7solutions.com/downloads/country_code_mappings.txt
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations
# Get-MgIdentityConditionalAccessNamedLocation
$location = Get-MgIdentityConditionalAccessNamedLocation -Filter "DisplayName eq 'Untrusted Countries'"
$countries = $location.AdditionalProperties.countriesAndRegions | sort
$countryMissing = $false
$countryInfo = @{
...
} # Download full list from https://c7solutions.com/downloads/country_code_mappings.txt
Write-Host "Found" $countries.Count "countries"
foreach ($country in $countries) {
try {
Write-Host $country","($countryInfo[$country])[0]
}
catch {
# Write a hyperlink, though this only works if running PowerShell in Windows Terminal
Write-Host "`e]8;;https://en.wikipedia.org/wiki/ISO_3166-2:$country`e\$country`e]8;;`e\"
$countryMissing = $true
}
}
if ($countryMissing) {Write-Host "Some of the countries are not in the example list in script - update script to include these countries."}
In addition to listing countries and regions as the above example does, it is possible to export all the IP Ranges used as well as the Trusted flag. This is useful for reporting and auditing the IP addresses that you include in Conditional Access rules.
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations ipRanges and Trusted status
# Get-MgIdentityConditionalAccessNamedLocation
$location = Get-MgIdentityConditionalAccessNamedLocation -Filter "DisplayName eq 'London Datacentre'"
$location.AdditionalProperties.isTrusted
$location.AdditionalProperties.ipRanges.cidrAddress
To export all your named locations, this simple script works:
Connect-mgGraph -Scopes "Policy.Read.All" -NoWelcome -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Use this to get a list of named locations ipRanges and Trusted status
# Get-MgIdentityConditionalAccessNamedLocation
$locations = Get-MgIdentityConditionalAccessNamedLocation
Write-Host "Found" $locations.Count "conditional access named locations"
foreach($location in $locations) {
$location.DisplayName
Write-Host "Trusted:" $location.AdditionalProperties.isTrusted
$location.AdditionalProperties.ipRanges.cidrAddress
Write-Host "--------------"
}
Photo by Lara Jameson: https://www.pexels.com/photo/yellow-flag-pinned-in-brazil-8828319/
Leave a Reply