Microsoft released a preview of a continuous access evaluation (CAE) setting for the Entra ID Conditional Access service on Friday, which will enable organisations to enforce location policies for network access rigorously.
The CAE setting, “strictly enforce location policies,” enables a near-real-time access termination when IP addresses do not match based on location, such as when a stolen token is used. CAE, which Microsoft released commercially for Azure Active Directory (now called “Entra ID”) users last year, seeks to address time lags when client-side or service-provider-side service changes occur. CAE is designed to resolve potential security issues following events such as password changes and user location changes.
While CAE already takes location into account, the “strictly enforce location policies” setting appears to have no delay in barring access when a mismatch is detected. In the announcement, Alex Weinert, vice president of identity security at Microsoft, noted that it provides a “near real-time response.”
CAE-enabled applications such as Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events detected by the application, preventing stolen tokens from being replayed outside of the trusted network.
CAE’s “strictly enforce location policies” configuration may appear to be an ideal network security measure, but IT professionals must be highly cautious when configuring it. They must verify the setting to ensure end users are not accidentally blocked.
Arnav SharmaMicrosoft MVPMCT
Microsoft Certified Trainer · Cloud · Cybersecurity · AI
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.
Continuous Access Evaluation is a security feature in Entra ID that enables near-real-time access termination and token revocation in response to security events. It addresses time lags that occur when client-side or service-provider changes happen, such as password changes or user location changes, helping organizations respond quickly to potential security threats.
The 'strictly enforce location policies' setting enforces location-based access controls with near real-time response by terminating access when IP addresses don't match the user's expected location. This feature is particularly effective at preventing stolen tokens from being used outside of trusted networks, as it detects and blocks unauthorized access attempts almost immediately.
CAE-enabled applications include Exchange Online, SharePoint, Teams, and Microsoft Graph. These applications can revoke tokens in near real-time in response to network change events, providing enhanced security across Microsoft's productivity and collaboration platforms.
CAE helps prevent security issues caused by stolen tokens being used outside trusted networks and addresses vulnerabilities that arise from time delays in detecting user location changes or password modifications. By providing near-real-time access termination, it significantly reduces the window of opportunity for attackers to exploit compromised credentials.
IT professionals must carefully verify the 'strictly enforce location policies' setting to ensure that legitimate end users are not accidentally blocked from accessing resources. Due to the near-real-time enforcement nature of this feature, misconfiguration could disrupt productivity for employees with legitimate location variations.
