In today's increasingly mobile and remote work environment, organizations are facing new challenges in securing access to their sensitive data and administrative portals. One of these challenges is the risk of token theft. Tokens are cryptographic keys that allow users to access applications and resources without having to repeatedly enter their passwords. If a token is stolen, attackers can use it to impersonate authorized users and gain access to sensitive data.
To address this risk, Microsoft Entra ID offers a feature called "Strictly Enforce Location Policies with Continuous Access Evaluation." This feature can help to prevent token theft by continuously evaluating the location of users and applications to ensure that they are in compliance with the organization's access policies.
As of this writing, the feature is still in preview and I recommend implementing it only after extensive testing and only for administrative access. More infos about the feature and it's support you'll find here: Continuous access evaluation strict location enforcement in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Table of Contents
- How Strictly Enforce Location Policies with Continuous Access Evaluation Works
- Benefits of Strictly Enforce Location Policies with Continuous Access Evaluation
- Recommendations for Implementing Strictly Enforce Location Policies with Continuous Access Evaluation
- Considerations for Users and Administrators
- Unlocking the Magic of Conditional Access Strict Location for Admin Portals
- Demo of Behavior
- Troubleshooting with Sign-in logs
- Conclusion
How Strictly Enforce Location Policies with Continuous Access Evaluation Works
When Strictly Enforce Location Policies with Continuous Access Evaluation is enabled, Microsoft Entra ID will continuously track the location of users and applications. This information is gathered from various sources, such as IP addresses, device IDs, and location services. If a user or application attempts to access resources from a location that is not permitted by the organization's access policy, Microsoft Entra ID will block the access attempt.
Benefits of Strictly Enforce Location Policies with Continuous Access Evaluation
There are several benefits to enabling Strictly Enforce Location Policies with Continuous Access Evaluation:
- Reduced risk of token theft: By continuously evaluating the location of users and applications, Microsoft Entra ID can help to prevent token theft by preventing attackers from using stolen tokens to access resources from unauthorized locations.
- Improved security posture: Strictly Enforce Location Policies with Continuous Access Evaluation can help to improve the overall security posture of the organization by preventing unauthorized access to sensitive data.
- Simplified compliance: By enforcing access policies based on location, organizations can simplify their compliance efforts by ensuring that users are only accessing resources from permitted locations.
Recommendations for Implementing Strictly Enforce Location Policies with Continuous Access Evaluation
Before enabling Strictly Enforce Location Policies with Continuous Access Evaluation, you should carefully consider your organization's needs and requirements. In particular, you should:
- Identify the locations from which your users will be accessing resources. This includes both on-premises and cloud-based resources.
- Create access policies that define which users are allowed to access resources from which locations. These policies should be based on your organization's risk tolerance and security requirements.
- Ensure that all IP addresses from which your users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy. Otherwise, you may accidentally block your users.
Considerations for Users and Administrators
Strictly Enforce Location Policies with Continuous Access Evaluation is a valuable feature that can help to improve the security of organizations. However, it is important to consider the specific needs of your users and administrators before implementing this feature. For example:
- For users who frequently travel or work from home, it may be more difficult to add all of the IP addresses from which they will be accessing resources. In these cases, it may be more appropriate to use a different authentication method, such as multi-factor authentication (MFA).
- For administrators, it is important to carefully manage the IP-based named locations policy to ensure that only authorized users are able to access resources from unauthorized locations. This will help to prevent accidental lockouts or unauthorized access.
Unlocking the Magic of Conditional Access Strict Location for Admin Portals
Strictly Enforcing Location Policies enhance secutity by immediately stops access to admin portals. If the IP address detected by the resource provider isn't allowed by your Conditional Access policy it will be blocked. Think of it as a virtual perimeter that guards your administrative data against unwanted intruders.
Location Enforcement Mode: This new enforcement mode is the most secure option for controlling access to admin portals, but it requires a deep understanding of network routing. It's recommended for those who want the highest level of protection for their administrative resources.
Now let's confugire a Conditional Access policy which secures the access to our admin portals:
Step 1 - Define and implemet your IP adresses
- First define from which IP adresses you want to allow access to you admin portals.
This can be a set of combinations of IP adresses, subnets and Countries. - Once you have your adresses togeter, add them in Entra > Identity > Conditional Access > Named locations:
- For this example I just added Switzerland as the country and nemed the location "CH"
Of cours for productive configuration xou should narrwo down the location as much as possible.
Step 2 - Configure a Conditional Access location-based policy for admin portal access
- Add a new Policy to your Conditional Access policies.
Mine looks like:
- In Users for testing porpusos I only added one. The endgoal should be "All Users".
- And very Importals ALWAYS exclude your "Break Glas Account(s)".
- As targeted ressoucres I choose "Microsoft Admin Portals".
- And in the condition I excluded Admin Access locations which I added in the step 1.
- For the Access controll I choose "Block access" so that ever access and change to a not predefined location is imediatily blocked.
- And lastly I enable the Session control under "Customize continuous access evaluation": Strictly enforce location policies
Before enabling strict location enforcement, create a Conditional Access policy tailored to your admin portals. Test it with a subset of administrators to avoid any discrepancies between allowed and actual IP addresses.
Demo of Behavior
In the following shot video, I showcase how a change of location triggers the policy immediately and not only if a token expires.
Troubleshooting with Sign-in logs
To investigate issues related to IP address mismatches for admin portal access, administrators can use the Sign-in logs:
- Sign in to the Microsoft Entra admin center.
- Browse to Identity > Monitoring & health > Sign-in logs.
- Use filters and columns to narrow down your search.
- Pay attention to the "IP address (seen by resource)" column, especially when it's different from the IP seen by Microsoft Entra ID.
Remember, the goal is to ensure that all IP addresses from which your administrators can access Entra ID and admin portals are included in their IP-based named locations. If not, strict location enforcement may have a negative impact on admin access.
Conclusion
Strictly Enforce Location Policies with Continuous Access Evaluation is a powerful feature that can help organizations to prevent token theft and improve their overall security posture. However, it is important to carefully consider the specific needs of your organization before implementing this feature. By doing so, you can ensure that you are maximizing the benefits of this feature while minimizing any potential risks.
