Microsoft released a preview of a continuous access evaluation (CAE) setting for the Entra ID Conditional Access service on Friday, which will enable organisations to enforce location policies for network access rigorously.
The CAE setting, “strictly enforce location policies,” enables a near-real-time access termination when IP addresses do not match based on location, such as when a stolen token is used. CAE, which Microsoft released commercially for Azure Active Directory (now called “Entra ID”) users last year, seeks to address time lags when client-side or service-provider-side service changes occur. CAE is designed to resolve potential security issues following events such as password changes and user location changes.
While CAE already takes location into account, the “strictly enforce location policies” setting appears to have no delay in barring access when a mismatch is detected. In the announcement, Alex Weinert, vice president of identity security at Microsoft, noted that it provides a “near real-time response.”
CAE-enabled applications such as Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events detected by the application, preventing stolen tokens from being replayed outside of the trusted network.
CAE’s “strictly enforce location policies” configuration may appear to be an ideal network security measure, but IT professionals must be highly cautious when configuring it. They must verify the setting to ensure end users are not accidentally blocked.