Users trying to access Exchange Online (from Canada office), and PowerBI service (from India office) consequently, will be allowed to sign into the applications. Contrarily, if they trying to sign into Exchange Online (from USA or India office), and PowerBI service (from USA or Canada office), they will be shown a common error message.
Therefore, the policy is successfully implemented, and we secured access to the applications from defined locations only. Access from all other locations and IPs not defined is blocked.
What if someone tries to access applications from any other non-windows device? The error message would remain the same except the changes in the user interface.
Country based policies are ok, but those can be easily defeated by using VPN service. Is there a way to block all connections coming via VPN like Nordvpn etc? I have not found any solution.
Unfortunately - unless you can find out which IP addresses a particular VPN service uses on the public side - one cannot put this kind of filter in place.
We have challenges setting up CA for Windows 365 desktops. Isn't it possible to specify a range of IPs for Win 365 instead of adding each IP manually? Please note we have 100s of users on Win365 desktops.
This old blog refers to Win365 Enterprise being a requirement.
https://techcommunity.microsoft.com/t5/windows-365/windows-365-ip-range-for-azure-conditional-access/m-p/2835799
Unfortunately this can only be achieved via Windows 365 for Enterprise edition where traffic can be run through your Azure Vnet in you rtenant