How to Strictly Enforce Location Policies with Continuous Access Evaluation

At Virtuas, we always look for ways to help our clients improve their security posture and protect their sensitive data. One of the challenges our clients face is preventing unauthorized access to cloud resources from stolen or compromised tokens. A solution to this challenge is a new feature of Microsoft Entra ID that is currently in public preview. Microsoft Entra ID enables organizations to enforce location policies strictly with Continuous Access Evaluation.

What is Continuous Access Evaluation and Why do Organizations Need it?

Continuous Access Evaluation is a mechanism that offers real-time evaluation of Conditional Access policies for certain apps, such as Exchange Online, SharePoint, Teams, and Microsoft Graph. Continuous Access Evaluation enables these apps to revoke tokens in near real-time in response to network change events noticed by the app, such as IP address changes, device state changes, or user risk changes.

This means that if an attacker steals a token from a legitimate user and tries to use it from a different location, the app will detect the location change and block the access, preventing data leakage or compromise.

However, Continuous Access Evaluation has a limitation: it only works for apps supporting it. For apps that don’t support Continuous Access Evaluation, such as legacy or third-party apps, the token will still be valid until it expires or is revoked by Azure AD. This creates a window of opportunity for attackers to exploit the token and access resources that are not protected by Continuous Access Evaluation. That’s where Strictly Enforce Location Policies comes in.

What is Strictly Enforce Location Policies and How Does it Work?

Strictly Enforce Location Policies is a new enforcement mode for Continuous Access Evaluation used in Conditional Access policies. This new mode provides protection for resources, immediately stopping access if the IP address detected by the resource provider isn’t allowed by Conditional Access policy.

This option is the highest security modality of Continuous Access Evaluation location enforcement and requires that administrators understand the routing of authentication and access requests in their network environment.

When organizations enable Strictly Enforce Location Policies, they must ensure that all IP addresses from which the users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy. Otherwise, a user might accidentally be blocked.

Organizations can use the Continuous Access EvaluationWorkbook or Sign-in logs to determine which IP addresses are seen by Continuous Access Evaluation resource providers and configure policies accordingly.

How Can Organizations Benefit from Strictly Enforce Location Policies?

By using Strictly Enforce Location Policies, organizations can achieve the following benefits:

1. Reduce the risk of token theft and replay attacks by enforcing location policies at the resource level. This prevents the attacker from accessing sensitive data or performing malicious actions on behalf of the user. This also reduces the impact of token expiration or revocation, as the token will be invalid as soon as the user changes their location.
2. Enhance security posture by applying the principle of least privilege and granting access only from trusted locations. This means that organizations can limit the exposure of their cloud resources to only the locations that are necessary for their business operations. This minimizes the attack surface and reduces the chances of data breaches or unauthorized access. This also helps organizations comply with regulatory or contractual obligations that may require them to restrict data access based on location.
3. Simplify compliance requirements by ensuring that data is accessed only from authorized locations. This means that organizations can easily demonstrate that they have implemented adequate controls to protect their data from unauthorized access based on location. This can help them avoid fines, penalties, or reputational damage that may result from failing to comply with data protection laws or standards. This can also help them gain trust and confidence from their customers, partners, and stakeholders that their data is secure and well-managed.

Conclusion

Strictly Enforce Location Policies is a powerful feature that can help organizations protect their cloud resources from unauthorized access. By using this feature in combination with Continuous Access Evaluation, businesses can achieve a high level of security and compliance.

However, this feature also requires careful planning and testing before deployment. Organizations must ensure that all authentication traffic towards Azure AD and access traffic to resource providers are from dedicated egress IPs that are known and allowed by policies.

Organizations in need any assistance or guidance on how to implement this feature can contact Virtuas.