This rule will help secure your environment from foreign countries that your business does not operate in.

Create a Conditional Access policy.
Under locations, specify which countries you operate in.
Check the box for “Include unknown areas”. The reason for this is that Microsoft does not detect the location from IPv6 (yet) so this will allow them. Attacks carried out via IPv6 are much more rare. In “Named Locations” you can opt into the preview which allows you to whitelist IPv6 ranges. You would likely have to contact your company’s mobile provider for their ranges if you use this.
Under policy rules, set access controls to “Block”, Include all, Exclude your locations.

When team members travel out of country, have them notify IT so you can create an exclusion under “Users and groups”.