If you manage Microsoft Entra ID (formerly Azure AD), you likely have one of the most effective security baselines in place: Location-Based Conditional Access Policy. For many organizations, a policy that blocks all sign-ins originating outside their operating countries is a silver bullet against 99% of password spray attacks.
But then comes the inevitable email:
“I’m flying to Dubai tomorrow for a conference. I need access for two weeks.”
How do you handle this without breaking your security posture? Generally, we can explore three ways to approach this challenge.
Method 1: The Manual Exclusion (The “Hectic” Way)
This is the default for many admins, but it is also the most dangerous. You open the policy, add the user to the “Exclude” list/group, and wait, hope you remember to remove them in two weeks.
The problem isn’t the exclusion; it’s the reversion. You have to rely on your own memory to remove them when they return. If you forget (and we all get busy), that user’s account remains vulnerable to logins from anywhere in the world. This is a high-effort and high-risk method.
Method 2: The Delegated Way (Entra Access Packages)
If you want to get admins out of the exclusion process and delegate this to the user’s managers or specific approvers who do not need to be assigned admin rights for approval, Entitlement Management (Access Packages) is a fantastic option.
In this model, you create a “Travel Access” package. The employee requests it via a self-service portal, and the request is routed to their Manager for approval. With this method, the managers don’t need to have any admin rights on the tenant. Once approved, the system adds the user to the exclusion group on the conditional access policy and automatically removes them after the trip duration. This works well for large teams where you want to offload the decision-making to department managers or users who approve travel requests within the organization
Method 3: The Admin-Controlled Way (PIM Groups)
However, sometimes you don’t want delegation. You want centralized control, but with the automation of a modern tool. You want to schedule exactly when an access window opens and closes, without relying on a manager to do the approval
This is the method we will focus on today.
By using Privileged Identity Management (PIM) for Groups, admins can retain full responsibility for the security posture while eliminating the risk of human error. We can “schedule” a user’s exclusion to start the moment their flight takes off and end the moment they land back home—automatically. This meas that for instance if our employees are only allowed to login from Kenya, then our user here plans to travel to Dubai Tomorrow and return after two weeks; by default the conditional access policy in place will block that, but since the employee has communicated about their travel plans; we will create a time bound assignment to a group membership that is excluded from the policy such that the assignment will activate automatically on the date that the empoyee will travel and deactivate automatically on the return date provided.
Here is how to set it up.
Step 1: The Architecture
First, create a Security Group dedicated to this purpose, for example: CAP-Exclusion-Travelers.
In your Conditional Access Policy (“Block Non-Domestic Logins”), add this group to the Exclude list.
- Security Note: Ensure your travellers still hit a secondary policy (e.g., “Require MFA for All Locations and/or Require Compliant Device”) so they aren’t completely unprotected while abroad.
Step 2: Onboarding to PIM
You cannot schedule membership for a standard group. You must upgrade it to a PIM-managed group:
- Navigate to Identity Governance > Privileged Identity Management.
- Select Groups > Discover groups.
- Find CAP-Exclusion-Travelers and click Manage groups to onboard it.
Step 3: Scheduling the Access (The “Set and Forget” Method)
This is where the magic happens. We aren’t making the user “Eligible” (where they have to click a button every day). We are creating a Time-Bound Active Assignment.
- Go to the CAP-Exclusion-Travelers group in PIM and select Assignments.
- Click + Add assignments.
- Select the Member role and choose your traveler.
- Click Next to view Settings.
- Change Assignment Type to “Active”.
- Set the Start Date to their departure time.
- Set the End Date to their return time.
Once you click Assign, the system is now armed. You don’t need to touch it again.
⚠️ The “No Results” Scare (Troubleshooting)
After you configure this, you might panic. You will likely go to the Active Assignments tab to verify your work, and you will see:
No results.
Don’t worry. This is a known quirk of the Entra interface. The “Active Assignments” view defaults to showing users who have access right now. Since your traveler’s flight is next week/future time, they are not technically “Active” yet, so the UI filters them out.
How to verify your configuration:
To confirm the schedule is locked in, check the Resource Audit log within the PIM group. Look for the operation “Add member to PIM request”. In the details pane, you will see the explicit Schedule Start and End times.
If it’s in the audit log, it will execute.
By shifting from static exclusions to PIM-managed groups or Access Package, you achieve three things:
- Zero Drift: Access is revoked automatically; you never forget to “close the door.”
- Audit Trail: You have a clear log of who requested travel access and for how long.
- Peace of Mind: You can configure the access weeks in advance and trust the system to handle the switch.