Comment by Palmik
18 hours ago
I wonder why the "no-out-of-country logins" block happens after verifying login credentials and not before, which would make more sense to me.
18 hours ago
I wonder why the "no-out-of-country logins" block happens after verifying login credentials and not before, which would make more sense to me.
While blocking before authentication seems intuitive for efficiency, checking after provides crucial context that's missing if you block pre-auth: you know which specific user account just authenticated successfully.
This context enables two important things:
- Granular exceptions: If Alice is attending a conference in Toronto, you can say "Allow Alice to log in from Canada next week" without opening Canada-wide logins for everyone. Pre-auth geo-blocking forces you into an all-or-nothing stance.
- Better threat intelligence: A valid login from an unexpected region (e.g. Moscow when Alice is normally in D.C.) is a far stronger signal of compromise than a failed attempt. Capturing "successful login + wrong location" helps you prioritize real threats. If you block pre-auth, you'd never know Alice's account was compromised.
Putting geo-checks after authentication gives you precise control over whom, exactly, is logging in from where, and offers richer data for your security monitoring.
Since the system is hosted on Azure, I guess we are talking about an Entra ID login. So I think they set up a Conditional Access [1] that can blocks logins based on the country IP. These policies run after authentication and can be specific to a user.
[1] https://learn.microsoft.com/en-us/entra/identity/conditional...
Because then you know that credentials have been compromised
Because you need to know who is logging in before you know what IP policy to enforce, no?