How to Grant Temporary Access in Entra ID for Travelers

I want to talk about a problem that many companies have when it comes to remote work today: providing users who are on the go.

Hold on, let me clarify using a situation from real time: One of your talented team members, Isaac, will be away from Office location from April 10 to April 17 for an important business meeting. However, the company already has a strict geo-restriction policy that only allows sign-ins from the UK. We must make sure Isaac can easily access the company resources he needs while away from the office or the UK because he is traveling overseas, right?   

Therefore, you must make it seamless and give Isaac the only temporary access. Because, as everyone is aware, cybercriminals thrive on exceptions and relaxed policies a lot! 

In this blog, I’ll cover through how to grant temporary access in Entra ID, time-bound access using Microsoft Entra ID, a dedicated “Travel-Exceptions” group, and automated PowerShell scripts to make the process seamless. 

What’s the Solution for this Business Need? 

Our world is more connected than ever, business travel is more common than ever. ✈️Employees need to attend conferences, meet with clients, and collaborate with international teams! But what happens when a legitimate user travels? How do you maintain robust security without creating friction for those who need it most? 

This is precisely the challenge we’re addressing today. But by effectively using Microsoft Entra ID Conditional Access policies, we can tailor our security posture to meet both the strict demands of global cybersecurity and the practical needs of our workforce. 

In our scenario, the risk is that if we broadly disable geo-restrictions for traveling users, it opens up a window for potential misuse. The goal is to craft a solution that is both secure and pragmatic. 

Step 1: Create a “Travel-Exceptions” Group 

First, we’ll create a security group in Microsoft Entra ID. This group will act as a container for users who are temporarily authorized to sign in from outside the UK. 

1. Navigate to the Microsoft Entra Admin Center.  
2. Go to Groups → All Groups → Click New Group. Then, configure the below:  
   • Group Type: Security  
   • Group Name: Travel-Exceptions  
   • Microsoft Entra roles can be assigned to the group: No 
   • Membership type: Assigned 
3. Click Create. 

There is a reason why I suggested using security groups instead of just adding Issac into the Conditional Access policy, and below are those reasons: 

• Instead of modifying Conditional Access policies each time an employee travels, you simply add or remove users from this group. 
• The “Travel-Exceptions” group provides a clear audit trail of who has temporary access and when they had it. 
• This method works seamlessly, whether you have a few employees traveling occasionally or a large team with frequent international travel. 
• It’s much easier to maintain a group membership than to edit complex Conditional Access policies. 

Pro Tip: Another tip is, if you think, then anyone might add members into the group that might collapse the purposes! Then, you can enforce membership restrictions by enabling an approval process or limiting who can add users to this group! That works super good, secure all the time.

Step 2: Configuring Conditional Access for Temporary Access 

Once we have our “Travel-Exceptions” group, we need to create a Conditional Access policy that allows users in this group to sign in from outside the UK while keeping security intact. This policy will override your default location-based restrictions for these users, but only when they’re signing in from outside your approved locations. 

1. In the Microsoft Entra admin center, go to Protection → Conditional Access → Policies. 
2. Click on Create New policy. 
3. Name it something like “Allow-Travel-Outside-UK” (or whatever your primary location is). 
4. Configure the policy settings: 
   • Include: Select the “Travel-Exceptions” group (This applies the policy only to users in this group) 

• Target Resources ➝ Choose the resources that require secure access. 
• Conditions: ➝ Locations → Configure: Yes 
• Exclude: Select your primary location (e.g., UK). (This ensures the policy applies only when users sign in from outside the UK.) This is the crucial step! 
• Access Controls → Grant: 
• Require authentication strength (Recommended: Strongest – phishing-resistant MFA) 
• You may also require a compliant device. 

5. Enable policy: Set the policy to On. (For testing, start in “Report-only” mode before enabling in production). 

Pro Tip: If you have Azure AD Premium P2, you can enable risk-based Conditional Access policies to automatically block sign-ins from unusual locations!  

Step 3 – Time-Bound Access for the Traveling User 

Now that we have our Conditional Access policy in place, we need to manage the membership of the “Travel-Exceptions” group to grant access to specific users for the duration of their trip. There are two ways to do this: 

Option A: Manual Add/Remove in Entra ID:

This is the simplest approach, but it requires quite manual work! 

• On the departure date (April 10 – for my case) : Add the user (e.g., Issac) to the “Travel-Exceptions” group in the Microsoft Entra admin center. 
• On the return date (April 17): Remove the user from the “Travel-Exceptions” group. 

While straightforward, this method depends on someone manually adding and removing users on time, which can lead to errors—especially with multiple travelers. Instead, use PowerShell to automate access management and ensure timely updates. 

Option B: Automate Group Membership with PowerShell 

For a more robust and reliable solution, I strongly recommend automating the process with PowerShell. This eliminates the risk of human error and ensures that access is granted and revoked precisely when needed. 

PowerShell Script to Add/Remove a User from Travel-Exceptions Group: 

param (
    [string]$GroupName = "Travel-Exceptions",
    [datetime]$DepartureDate = "2025-03-29",
    [datetime]$ReturnDate = "2025-03-31"
)

$UserPrincipalNames = (Read-Host "Enter UPNs (comma-separated)") -split ","
Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All"
$GroupId = (Get-MgGroup -Filter "DisplayName eq '$GroupName'").Id

if (-not $GroupId) { 
    Write-Host "Group '$GroupName' not found!" -ForegroundColor Red
    exit
}

$Today = (Get-Date).Date
$Action = if ($Today -eq $DepartureDate.Date) { "Add" } elseif ($Today -eq $ReturnDate.Date) { "Remove" } else { $null }

if ($Action) {
    $UserPrincipalNames | ForEach-Object {
        $UserId = (Get-MgUser -Filter "UserPrincipalName eq '$_'").Id
        if ($UserId) {
            try {
                if ($Action -eq "Add") {
                    New-MgGroupMember -GroupId $GroupId -DirectoryObjectId $UserId
                } else {
                    Remove-MgGroupMemberByRef -GroupId $GroupId -DirectoryObjectId $UserId
                }
                Write-Host "$Action $_ in '$GroupName' on $Today." -ForegroundColor Green
            } catch {
                Write-Host "Failed to $Action $_ in '$GroupName' on $Today. Error: $($_.Exception.Message)" -ForegroundColor Red
            }
        } else {
            Write-Host "User $_ not found!" -ForegroundColor Yellow
        }
    }
} else {
    Write-Host "No action taken. Today ($Today) is neither the departure date ($DepartureDate) nor the return date ($ReturnDate)." -ForegroundColor Yellow
}

Disconnect-MgGraph

Schedule the script to run on the respective dates accordingly as per your wish. 

• Use powershell.exe -File “C:\Path\To\YourScript.ps1” as the execution command. 
• Or create a Runbook and schedule it for the required dates. 
• Use Managed Identity for authentication instead of manual Connect-MgGraph. 

Pro Tip: Use Azure Logic Apps to trigger notifications when a user is added or removed from the “Travel-Exceptions” group. 

Managing Future Travel Access Efficiently 

That’s it for now and future as well! Instead of creating multiple Conditional Access policies for different scenarios, this single policy with the Travel-Exceptions group keeps things flexible without policy bloat. Simply add or remove users as needed. 

But there are other things to focus as well. Like, you need to put more effort on effectively monitoring and auditing the access granted through our “Travel-Exceptions” group.  

1. Monitor Group Membership Changes: 

• Entra Sign-in Logs: Track changes under Identity > Monitoring & health > Audit logs. Filter by Group Management to review modifications to the Travel-Exceptions group. 
• Azure Monitor: For more advanced monitoring and alerting, you can integrate Azure AD audit logs with Azure Monitor. 
• PowerShell: You can also use PowerShell to query the audit logs and generate reports on group membership changes. For example, you could schedule a script to run daily and email you a list of all users added to or removed from the “Travel-Exceptions” group.    

2. Monitor User Access via Entra ID Sign-in Logs: 

• Regularly check sign-in and audit logs to ensure only authorized users are accessing resources from abroad. 

3. Access Reviews in Entra ID: 

• If you have Microsoft Entra ID P2, set up access reviews for the group to ensure temporary access doesn’t linger. You can configure access reviews in the Microsoft Entra admin center under Identity governance > Access reviews. You can set up recurring reviews of the “Travel-Exceptions” group, where either the group owners or the users themselves can attest to whether they still need to be in the group.   

Balancing Security and Productivity 

David can now attend his business meeting abroad without worrying about access problems. I hope this detailed walkthrough has given you a clear roadmap on how to implement a secure, flexible solution for travel-related access challenges. 

With a single Conditional Access policy and automated management, you reduce complexity, strengthen security, and streamline operations—all without unnecessary policy duplication. A simple and effective way to balance security with flexibility. 

Stay safe, stay secure, and happy travels! ✈️