Geo-Blocking Without the Vacation Ticket Pile: A Self-Service Travel Pass for M365
TL;DR
- A geo-blocking Conditional Access policy is strong protection against malicious sign-ins, and a guaranteed support burden every time a user travels.
- Entra access packages can automate travel exceptions, but they require an Entra P2 license most customers do not have; Forms plus Power Automate works in any tenant.
- The automation adds the traveler to a Temporary Travel group on their start date and removes them on their return date, so exceptions expire themselves.
- Group membership changes, never edits to the Conditional Access policies themselves, are how the flow grants and revokes access safely.
- The temporary travel policy still requires MFA from approved countries, so a travel exception never means an unprotected sign-in.
A geo-blocking Conditional Access policy (opens in new tab) is one of the easiest wins in Microsoft 365 security: block sign-ins from countries where your users have no business signing in. If you have not implemented one, do. Then brace for the side effect, because the moment someone books a vacation to Italy, that policy becomes a help desk ticket, and somebody on your team starts hand-editing exclusions.
There is a well-designed answer using Entra access packages, documented in this excellent piece: Secure your users when they go on vacation (opens in new tab). The catch is licensing: access packages require Entra P2, which most customers do not have. So we built the same outcome with parts every tenant owns, Microsoft Forms and Power Automate, and packaged the flow as a template you can import into customer environments. This post covers the whole build.

What the travel pass does, end to end
A hypothetical run of the system:
- A Conditional Access policy blocks all logins from outside the US.
- A user is heading to Italy for two weeks. They submit a travel request form with the country and their start and return dates. A ticket lands in your PSA.
- The flow verifies the requested country is on the approved-for-travel list. On the start date, the user is added to a "Temporary Travel" group, which is excluded from the geo-blocking policy and included in a "Temporary Travel" Conditional Access policy that allows access from approved temporary countries.
- On the return date, the user is removed from the group. Italy goes back to being blocked for them.
Why this design holds up better than the manual alternative:
- No blanket exclusions from the base geo-location policy; each approval is a temporary allowance to a select list of countries for one individual user.
- The Conditional Access policies themselves are never modified, only the group memberships behind their inclusions and exclusions.
- Automation removes the human error that, over time, leaves permanent holes in your Conditional Access protections.
Build it: the Entra side
Define the approved countries as a named location
- In the Entra admin center, go to Protection > Conditional Access > Named Locations > + Countries location.
- Provide a name (for example, Temporary Travel).
- Add your list of approved countries.

The list itself is a decision you should make as an MSP, factoring in countries users in the tenant already travel to frequently. Our Power Automate template ships with an array of about 39 countries you can add to or trim.
A shortcut for later: copy the country list into an Excel sheet, clean it to your approved set, and have ChatGPT format it with this prompt: convert the following into an array with the following format ["Test", "Test1", "Test 2"]. You will use that array in the flow.

Create the Temporary Travel group
In the Entra admin center, create a new security group called "Temporary Travel." After creation, copy its object ID into notepad; the flow needs it later.

Build it: the form

The form here is deliberately simple; add fields as needed. Create it inside each customer environment. That buys you two things: only authenticated users from that tenant can submit, and you do not have to ask for their email, because it comes through natively with the form response.

Use the choice question type for the country list, populated with the countries from your named location. We like adding an "Other" option so users can type a country not on the approved list (the flow routes those to a ticket instead of an approval). Click the three dots on the question and make it a dropdown.

Build it: the flow
Import the template
- Download the zip file for free (type $0 at checkout): Automating Travel Request template (opens in new tab)
- Go to https://make.powerautomate.com/ (opens in new tab)
- Click My Flows > Import > Import Package

- Upload the zip file.
- Do not modify the Flow resource. For each connector, click "Select during import" and point it at a service account in your environment. If you do not have one, create a dedicated service account specifically for Power Automate. It needs enough permissions to read the requested data in Entra, and the Outlook connection needs a mailbox associated with the account.

When creating new connections, the search bar in the upper right of the + New Connection page is the fast way to find the resource type you need.
- Click Import when finished, then Open Flow after a successful import.
Point the template at your tenant
Modify the first action to reference the Microsoft Form you created earlier.

Modify the Get response details action to dynamically grab the form from the previous step.

Optionally, edit the array of approved countries to match your named location list.

Modify ALL timer delay actions (Delay Until and Wait Until Return Date) to your time zone value. The correct string values are here: Default Time Zones (opens in new tab).

For the Get Group action, replace the GUID with the object ID you saved when creating the Temporary Travel group.

Modify ALL of the Create Ticket actions to send to your support email, and update the email template to include the company name in the subject line and body.

Test before you trust
After saving, click Test in the right corner, select Manual, and submit the form to confirm the flow runs without errors.

Build it: the Conditional Access policies
Two policy changes close the loop. First, in your existing geo-blocking policy, exclude the Temporary Travel group.

Second, create a new Conditional Access policy for temporary travel that applies the following:
- Assigned to the Temporary Travel group
- Targets all cloud apps
- Includes the Temporary Travel named location
- Grants access but requires MFA


Worth the setup
Repeating this setup per customer is a real cost, no argument. Weigh it against every vacation-week ticket it absorbs and every forgotten exclusion it prevents, and the math tilts quickly toward building it.
One closing note: in tenants that do have Entra P2, the access package approach from the article linked at the top is likely the better path, since it is built into licensing the customer already pays for.
Frequently asked questions
Why not just exclude the user from the geo-blocking policy while they travel?
Manual exclusions depend on someone remembering to remove them, and forgotten exclusions quietly punch permanent holes in the policy. This flow approves a temporary set of countries for one user with start and end dates, and the removal happens automatically.
Should the form live in the MSP tenant or each customer tenant?
Each customer tenant. Only authenticated users from that environment can submit, and the form response natively carries the user's email, so you collect less information and the flow has a trusted identity to act on.
What if the tenant already has Entra P2?
Use access packages instead. The capability is built into the licensing the customer already pays for, and the access package approach handles approval and time-boxing natively. This build exists for the majority of tenants without P2.
Are your Conditional Access policies still what you deployed?
Exclusion groups, named locations, and temporary exceptions drift. CloudCapsule audits Conditional Access coverage alongside 250+ Microsoft 365 controls per tenant in about 60 seconds, and flags what changed since last quarter.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


