Traveling Employee CA Policy Crate

What does the Traveling Employee CA Policy Crate do?

This Crate allows MSPs to easily manage traveling employees and their access via a form to adjust conditional access policies automatically upon their departure and return dates. Technicians and customers can self-serve, reducing tickets and time spent on these types of requests.

This Crate doesn't permanently modify existing conditional access policies, manage trusted locations, or approve or deny travel requests.

How the Crate works

This Crate contains three separate forms.

1. [REWST] M365: Traveling Employee CA Policy - Setup is used once or rarely to set your base level of conditional access policy.

2. [REWST] M365: Traveling Employee CA Policy (MSP) is used any time you want to prepare for a traveling employee or bucketed group of traveling employees. This form inherits the policies set with the first form.

3. [REWST] M365: Traveling Employee CA Policy (Self-Serve) is meant to be sent to individual users to have them fill out the travel plans for themselves or their group of employees.

The Crate's workflow runs on a cron trigger. It checks once daily for users indicated by the form, and adds them to an exclusion list. Access is granted only for the approved travel window and revoked automatically. Only configured baseline block policies are bypassed during travel. All other active CA policies, such as MFA requirements, remain. Temporary resources are automatically deleted after use.

PSA tickets are created and updated any time the MSP or Self-Serve forms are submitted.

Crate prerequisites

Before unpacking this Crate, you must first have:

• Your PSA successfully integrated with Rewst

• Our Microsoft Cloud integration bundle successfully integrated with Rewst

Unpack the Traveling Employee CA Policy Crate

1. Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.

2. Search for Traveling Employee CA Policy.

3. Click on the Crate tile to begin unpacking.

4. Click Unpack Crate.

5. Click Continue.

6. Ensure that all triggers are set to Enabled.

7. Click Unpack.

Use the Crate

Set your conditional access policy guidelines with the [REWST] M365: Traveling Employee CA Policy - Setup form

1. Navigate to Automations > Forms.

2. Search for [REWST] M365: Traveling Employee CA Policy - Setup.

3. Click ⋮ > Usages > View Direct URLs.

4. Click on the relevant link to launch it for your desired organization.

5. Select an organization to set the policy for from the Organization drop-down selector.

6. Use the Baseline Block Policies drop-down to select all policies that may block a traveling user. Selected policies will have users added to their exclusion list during the approved travel time window to allow access.

7. Click Submit.

As needed, prepare for employee travel with the [REWST] M365: Traveling Employee CA Policy (MSP) form

1. Navigate to Automations > Forms.

2. Search for [REWST] M365: Traveling Employee CA Policy (MSP).

3. Click ⋮ > Usages > View Direct URLs.

4. Click on the relevant link to launch it for your desired organization.

5. Select an organization to set the policy for from the Organization drop-down selector.

6. Use the following fields to enter information about the travel plan:

   1. Ticket - Select an existing ticket to update, otherwise a new ticket will be created in your PSA at the time of submission

   2. Users - Select the user or users who require a travel conditional access policy to be applied

   3. Destination Countries - Select the countries the user or users will be traveling to

   4. Departure Date - Enter the date and time the user or users will begin travel, which is when the conditional access policy will take effect

   5. Return Date - Enter the date and time the user or users will return from travel, which is when the conditional access policy will be removed

7. Click Submit.

As needed, prepare for employee travel with the [REWST] M365: Traveling Employee CA Policy (Self-Serve) form

1. Navigate to Automations > Forms.

2. Search for [REWST] M365: Traveling Employee CA Policy (Self-Serve).

3. Click ⋮ > Usages > View Direct URLs.

4. Click on the relevant link to launch it for your desired organization.

5. Use the following fields to enter information about the travel plan:

   1. Ticket - Select an existing ticket to update, otherwise a new ticket will be created in your PSA at the time of submission

   2. Users - Select the user or users who require a travel conditional access policy to be applied

   3. Destination Countries - Select the countries the user or users will be traveling to

   4. Departure Date - Enter the date and time the user or users will begin travel, which is when the conditional access policy will take effect

   5. Return Date - Enter the date and time the user or users will return from travel, which is when the conditional access policy will be removed

6. Click Submit.

Organization variables associated with this Crate

These variables are system-managed and must not be modified manually. All configuration should be done via the setup form unpacked with this Crate.

• traveling_employee_users_group: Reference to the traveling users group used for CA policy exclusions.

• traveling_employee_block_policies: References to baseline blocking CA policies from which traveling users are excluded during travel.

• traveling_employee_policy_tickets: Links travel-specific CA policies to tickets for automated updates throughout the travel lifecycl