Public Preview: Strictly Enforce Location Policies with Continuous Access Evaluation

By July 28, 2023AzureAD

Greetings! At the recent Microsoft Secure event, we provided an early look at a new feature of conditional access which lets you strictly enforce location policies with continuous access evaluation (CAE), allowing you to rapidly invalidate tokens which violate your IP based location policies. Today, we’re delighted to announce this feature is in public preview.  

 

Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.  

 

When a client’s access to a resource is blocked due to CAE’s strictly enforce location policies being triggered, the client will be blocked. 

 

 

sdriggers_0-1690302306956.png

 

 

 

Here’s a brief overview of how you can enable this capability 

 

Enabling Strict Location Enforcement:

 

sdriggers_1-1690302306965.png

 

 

 

Before turning on strictly enforce location policies in CA you must ensure that all IP addresses from which your users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy. Otherwise, you may accidentally block your users. You can use the CAE Workbook or Sign-in logs to determine which IP addresses are seen by CAE resource providers.  

 

CAE Workbook:

 

sdriggers_2-1690302306969.png

 

 

Sign-in Logs:

 

First, notice that the column “IP address” refers to “IP (seen by Azure)” versus “IP address (seen by resource).First, notice that the column “IP address” refers to “IP (seen by Azure)” versus “IP address (seen by resource).

 

While troubleshooting and testing how to configure your strictly enforce location policies, use the filter “IP (seen by resource)” to find scenarios where strictly enforce location policies could be blocking users with an unallowed IP seen by the CAE resource provider. 

 

Strictly enforce location policies is a step forward for session management. As you enable this feature, carefully consider including safe and trusted IP addresses from which your users access Microsoft Entra ID and resource providers to avoid unintentional blocks by leveraging the CAE Workbook and Sign-in logs for precise configuration. 

 

Alex Weinert (@Alex_T_Weinert  

VP Director of Identity Security, Microsoft      

 

Read more about Strict Location Policies and Continuous Access Evaluation: 

 

Learn more about Microsoft Entra: 




Source link

Share this post via

Leave a Reply