Greetings! At the recent Microsoft Secure event, we provided an early look at a new feature of conditional access which lets you strictly enforce location policies with continuous access evaluation (CAE), allowing you to rapidly invalidate tokens which violate your IP based location policies. Today, we’re delighted to announce this feature is in public preview.
Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.
When a client’s access to a resource is blocked due to CAE’s strictly enforce location policies being triggered, the client will be blocked.
Here’s a brief overview of how you can enable this capability
Enabling Strict Location Enforcement:
Before turning on strictly enforce location policies in CA you must ensure that all IP addresses from which your users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy. Otherwise, you may accidentally block your users. You can use the CAE Workbook or Sign-in logs to determine which IP addresses are seen by CAE resource providers.
First, notice that the column “IP address” refers to “IP (seen by Azure)” versus “IP address (seen by resource).
While troubleshooting and testing how to configure your strictly enforce location policies, use the filter “IP (seen by resource)” to find scenarios where strictly enforce location policies could be blocking users with an unallowed IP seen by the CAE resource provider.
Strictly enforce location policies is a step forward for session management. As you enable this feature, carefully consider including safe and trusted IP addresses from which your users access Microsoft Entra ID and resource providers to avoid unintentional blocks by leveraging the CAE Workbook and Sign-in logs for precise configuration.