Microsoft Previews Strict Location Enforcement To Thwart Stolen Token Access
The continuous access evaluation preview aims to address token theft attacks in near real time.
Microsoft on Friday announced a preview of a continuous access evaluation (CAE) setting for the Entra ID Conditional Access service that will let organizations strictly enforce location polices for network access.
The CAE setting, called "strictly enforce location policies," enables a near real-time access shutdown when IP addresses don't match based on location, as might happen with a stolen token. CAE itself, which Microsoft commercially released last year for Azure Active Directory (now called "Entra ID") users, aims to address time lags when service changes occur on either the client side or service provider side. CAE aims to address potential security problems after events such as password changes and user location changes, for instance.
While CAE already takes location into account, the "strictly enforce location policies" setting, doesn't appear to have a time lag at all for blocking access when a location mismatch gets detected. It provides a near "real-time response," noted Alex Weinert, vice president of identity security at Microsoft, in the announcement:
With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app -- preventing stolen tokens from being replayed outside the trusted network.
However, while the "strictly enforce location policies" setting for CAE seems like an ideal network security protection, IT pros have to be really cautious about setting it up. They have to test the setting to ensure it doesn't inadvertently block end users.
Microsoft offered lots of caveats about using the setting, which offers the highest CAE enforcement. Here's how Microsoft's document on the preview described it:
This option is the highest security modality of CAE location enforcement, and requires that administrators understand the routing of authentication and access requests in their network environment.
Weinert noted that IT pros wanting to use this setting first need to ensure that "all IP addresses from which your users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy." If that's not the case, then "you may accidentally block your users," he added.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.