Microsoft Entra ID Introduces Strict Location Enforcement To Block Stolen Token Access

Cloud Computing

Microsoft has released a public preview of a new continuous access evaluation (CAE) setting for the Entra ID Conditional Access service. The new feature enables IT admins to strictly enforce location policies for network access in enterprise environments.

Continuous Access Evaluation is a mechanism that offers real-time evaluation of Conditional Access policies for certain apps. The feature allows apps (like Exchange Online, SharePoint Online, and Microsoft Teams) to learn about changes in user accounts in almost real-time. This capability could be useful in situations when a user account has been disabled, network location changes, or password changes.

How does strict location enforcement work?

The new strictly enforce location policies mode allows Entra ID (formerly Azure AD) customers to block client’s access to a resource if the IP address doesn’t match based on location. It’s designed to block sophisticated cyberattacks that could happen with a stolen token.

“With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network,” said Alex Weinert, Vice President of Identity Security at Microsoft.

Microsoft Entra ID Introduces Strict Location Enforcement To Block Stolen Token Access

Microsoft notes that the strictly enforce location policies are the most secure, but they require well-understood network paths. The company urges IT admins to test the setting in order to ensure it doesn’t inadvertently block end users.

“This option is the highest security modality of CAE location enforcement, and requires that administrators understand the routing of authentication and access requests in their network environment,” Microsoft explained in a support page.

Enterprise admins will need to include all IP addresses that will be used to access Microsoft Entra ID in the IP-based named locations policy. The company recommends administrators to use the CAE Workbook and Sign-in logs to identify the IP addresses seen by CAE resource providers. You can learn more about how to configure strictly enforced location policies on this support page.