Azure Conditional Access Policies

A subject has privileged access to devices, systems or services that hold sensitive information.

A subject performs work-related activities from a location or jurisdiction that is not approved by the organization, in violation of policy, contractual restrictions, or regulatory requirements.

This behavior includes remote work conducted outside authorized geographic boundaries, the use of undisclosed travel locations, or deliberate concealment of true working location through technical means. Unauthorized work location infringements introduce material risk across legal, regulatory, data protection, and operational domains. These risks include unlawful data transfer across jurisdictions, breach of client or government restrictions, tax and employment violations, and exposure of corporate systems to untrusted environments.

Unauthorized work location activity is often initially perceived as low-severity or convenience-driven. However, in practice it represents a critical control failure, particularly in organizations with geo-restrictions, data residency obligations, or sensitive access environments. Left unchallenged, this behavior can contribute to Behavioral Drift, where location-based controls are progressively disregarded across the organization's population.

This section captures all forms of location-based policy infringement, whether deliberate (concealment, evasion) or negligent (failure to disclose travel).

Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.

Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.

In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.

Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.

Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security.

The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.

Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.

This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data.

The subject deploys credential-harvesting malware (commonly referred to as an infostealer) to extract sensitive authentication material or session artifacts from systems under their control. These payloads are typically configured to capture data from browser credential stores (e.g., Login Data SQLite databases in Chromium-based browsers), password vaults (e.g., KeePass, 1Password), clipboard buffers, Windows Credential Manager, or the Local Security Authority Subsystem Service (LSASS) memory space.

Infostealers may be executed directly via compiled binaries, staged through malicious document macros, or loaded reflectively into memory using PowerShell, .NET assemblies, or process hollowing techniques. Some variants are fileless and reside entirely in memory, while others create persistence via registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or scheduled tasks.

While often associated with external threat actors, insider deployment of infostealers allows subjects to bypass authentication safeguards, impersonate peers, or exfiltrate internal tokens for later use or sale. In cases where data is not immediately exfiltrated, local staging (e.g., in %AppData%, %Temp%, or encrypted containers) may indicate an intent to transfer data offline or deliver it via alternate channels.

The subject performs work-related activities from a jurisdiction explicitly prohibited or classified as high-risk by the organization, in violation of policy, regulatory obligations, or contractual restrictions.

These jurisdictions are typically defined based on legal, regulatory, geopolitical, or security considerations. This includes sanctioned countries, regions subject to export control restrictions, locations with elevated cyber threat activity, or jurisdictions where data access is restricted due to sovereignty or client requirements.

Unlike general undeclared international remote work, this behavior involves access from locations where work is explicitly disallowed, regardless of disclosure. Even where the subject has notified the organization of travel, performing work from these jurisdictions constitutes a direct infringement due to the inherent risk profile.

Operating from prohibited or high-risk jurisdictions introduces severe exposure, including:

• Breach of international sanctions or export control laws
• Unauthorized cross-border transfer or access to regulated data
• Increased likelihood of interception, monitoring, or compromise by hostile entities
• Violation of contractual obligations with clients, governments, or partners

In some cases, subjects may knowingly disregard restrictions due to convenience or personal circumstances. In more serious scenarios, this behavior may indicate coercion exposure, or deliberate or inadvertent data exfiltration to a third-party.

This sub-section represents a high-severity infringement category, as the risk is intrinsic to the location itself, not just the lack of approval.

The subject performs work-related duties from a foreign jurisdiction without notifying or obtaining approval from the organization, in violation of defined location, legal, or contractual requirements.

This behavior commonly occurs when a subject travels internationally and continues to access corporate systems while physically located outside their approved working jurisdiction. In many cases, the subject does not disclose the travel, preventing the organization from applying appropriate legal, regulatory, and security controls.

A frequently observed variant involves annual leave extension abuse, where the subject initially travels abroad under approved leave but remains in that jurisdiction beyond the authorized leave period and resumes work remotely without declaration. In this scenario, the subject transitions from compliant absence to unauthorized international working, often assuming the original approval implicitly extends to remote work activity.

Undeclared international remote work introduces material risk, including:

• Breach of data residency and cross-border data transfer restrictions
• Violation of employment law and tax obligations
• Exposure of corporate systems to untrusted or high-risk environments
• Breach of contractual or client-imposed geographic controls

This behavior is often rationalized by the subject as low impact or temporary. However, it represents a failure of governance and visibility over where sensitive systems are being accessed. In regulated environments, even short periods of undeclared international access may constitute a compliance breach.

If repeated or unchallenged, this behavior may contribute to Behavioral Drift, where undeclared cross-border working becomes normalized within teams or functions .