At the recent Microsoft Secure event, we provided an early look at a new feature of conditional access which lets you strictly enforce location policies with continuous access evaluation (CAE), allowing you to rapidly invalidate tokens which violate your IP based location policies. Today, we’re delighted to announce this feature is in public preview.
Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.
When a client’s access to a resource is blocked due to CAE’s strictly enforce location policies being triggered, the client will be blocked.