Banned Location Conditional Access in Entra using CAE
???Jay Kerai
Cybersecurity Automation Architect | MSc. Cybersecurity & Artifical Intelligence | Devfender | 51x Microsoft Certified
Note as of 30/06/24: It looks like CAE For Countries has been depreciated, you will not get the full protections!
If you're already enforcing banned location conditional access in Entra, you should in theory be able to take this one step further with Continuous Access Evaluation (CAE).
The MS docs says to not use Country Locations for this, however I couldn't resist trying it for myself:
The result is truly impressive and hence why I want to share my findings. (The reason why it is not recommended is due to a mismatch from the refresh of the IANA blocks, which is very rare and a risk you take with a banned country named location anyway)
Why CAE?
OAuth access Tokens do not talk back to Entra. They are valid up to the point of expiry, even if the user who requested the token has been disabled in Entra during this time. This makes token attacks a very interesting attack vector.
Imagine we have a user who is compromised and attacker has logged in with their credentials, even if we reset the user's password and revoke the refresh token the attackers session is still valid up to the point of expiry (60 minutes by default). At worst case scenario that's just under 60 minutes to cause damage.
Enter CAE which attempts to remedy this by re-evaluating near real-time (NRT) events such as:
But also CAE can be used for IP address changes i.e. Potential token theft. If your organization has a dedicated IP range as a named location in Entra then any CAE compliant application and device will reject any token used outside that IP range if configured (the best way of configuring location enforcement with CAE)
Note that CAE tokens last 28 hours rather than (average) 60 minutes if the the conditions are deemed tight enough by Azure. Otherwise CAE will fallback to 60 minute average, this is actually advantageous because if an attacker manages to compromise a token and stays undetected they now have even longer within that session and the benefits of NRT revaluation are rendered pointless.
CAE only works for supported applications and supported clients. The list of CAE compliant apps can be found at: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#conditional-access-policy-evaluation
Applying CAE to Banned Location Policy
CAE is automatically on for compliant apps by default for near real time events (i.e Password change, account disabled) and can be opted out of by conditional access:
However to enforce locations with CAE you must enable the feature.
Within your banned location policy enable the "Strictly Enforce Location Policies" for CAE
The policy will continue to work as normal for non-CAE complaint apps, see below an attempt to sign-in to the Azure Portal from an unapproved location:
领英推荐
In my demo environment I've been more restrictive and said to block from non-approved countries rather than banning locations:
Demo time
For the purposes of this demo I'll just be getting an outlook token from an approved location. Outlook is a supported CAE Application. Initially I was going to try powershell but when I checked the expiry time of the token it shows that CAE is not fully supported, the application (powershell) supports it but does not follow 28hr token lifetime. This is because we have chose to enforce by country and not IP range. This is actually a good thing that the extended token lifetime is not granted unless it matches strict conditions.
With my token extracted (not covered here) I can attempt to replay it:
My attempt to replay the token is thwarted, however if I turn off the VPN then try again I can still get in:
This is where Token Binding can come into play but not something I will discuss here.
If I attempt to turn on my VPN while in the session I am kicked out almost immediately.
Further Reading
Using MDE and want to block anonymous VPNs in your environment? See: https://github.com/jkerai1/SoftwareCertificates/tree/main/VPN%20Or%20Networking
Microsoft MVP (Security) ?? Cloud Security Consultant
1 年Thank you for sharing!