question

Rob-6761 avatar image
0 Votes"
Rob-6761 asked testuser7-8288 commented

Continuous access evaluation - when client changes IP Address

Hi, there is CAE documentation here
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

When looking at the CAE (Preview) setting under Azure AD --> Security, it says this
"When a user's access is removed or a client IP address changes, Continuous access evaluation automatically blocks access to resources and applications in near real time"

Does this automatically apply to IP address changes that occur frequently when going from wifi to cellular to access an O365 resource?

The way I read this, it means that this activity will be treated as suspect, and the policy will automatically block a user?

Can someone provide any more specific instances where this policy would apply? Right now, as it's in preview, we do not have this enabled.

Thanks,

Rob.

azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered testuser7-8288 commented

@Rob-6761 Thanks for reaching out.

The continuous access evaluation checks for the allowed IP range under trusted location, any changes to that IP triggers the block.
So if the user authenticates with the approved network and then switches to a unapproved IP range, this will block it. This will work if you have blocked any access to outside corporate network under conditional access policy.

This is how a general client will face this :
1) A CAE-capable client presents credentials or a refresh token to Azure AD asking for an access token for some resource.
2) Azure AD evaluates all Conditional Access policies to see whether the user and client meet the conditions.
3) An access token is returned along with other artifacts to the client.
4) User moves out of an allowed IP range
5) The client presents an access token to the resource provider from outside of an allowed IP range.
6) The resource provider evaluates the validity of the token and checks the location policy synced from Azure AD.
7) In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client because it is not coming from allowed IP range.
8) The CAE-capable client understands the 401+ claim challenge. It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. Azure AD reevaluates all the conditions and will deny access in this case.

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rob-6761 avatar image Rob-6761 ·

Thanks for the reply. In conjunction with your comment below
"Rob-6761, It seems For CAE, we only have insights into named IP-based named locations. We have no insights into other location settings like MFA trusted IPs or country-based locations.

So when user comes from an MFA trusted IP or trusted locations that include MFA Trusted IPs or country location, CAE will not be enforced after user move to a different location. In those cases, we will issue a 1-hour CAE token without instant IP enforcement check."

This would appear that it will not adversely affect our connectivity.

Thank you.

1 Vote 1 ·
testuser7-8288 avatar image testuser7-8288 ·

Hi @vipulsparsh-MSFT

I believe i understand the above flow that you described nicely about how the location change is checked by resource-provider and claims-challenge is generated.

What happens when client-application reaches to AAD with one particular IP every time (eg., 1.2.3.4) which is in the named-location , so AAD does not have any problem issuing the access-token.

But when that client-app invokes the API (resource-provider) , it uses different IP every time (eg., 4.5.6.7)

In this case when the API checks the incoming-IP with the CA-policy IP, it will NOT match and hence generates claims-challenge every time.

Now this is NOT the case where client has gone from trusted to untrusted network.
This is a valid use-case because of network proxy implementations in the corporate network.
Calls to login.microsoftonline.com goes through the proxy-server but the call the to API goes directly out to the internet through some different arrangement or vice-versa.

AAD sees one IP address from the client while your resource provider sees a different IP address from the client after passing through a proxy.

How this infinite loop is resolved ? Would you mind putting the flow for this use-case ?


Thanks.






0 Votes 0 ·
Rob-6761 avatar image
0 Votes"
Rob-6761 answered vipulsparsh-MSFT commented

Hi vipulsparsh, sorry for my late response. We use conditional access policies to varying degrees, and also trusted locations. However, as we cannot know which IP range a user will be access O365 from, when using a public internet or 4G service, it sounds like CAE would block too many connections.
Isn't this the case for any Office 365 tenancy though, that they would allow authentication from almost any public network? Doesn't this mean that CAE is too strict, as it is too difficult to manage those external network ranges?
I feel like I should be turning CAE off.....
What are your thoughts?

Rob.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image vipulsparsh-MSFT ·

@Rob-6761 The CAE Service currently works with trusted location only, it will not work with a normal user connection over other public IP addresses. So office 365 general user consumption with random IPs wont work for now.

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

0 Votes 0 ·
Rob-6761 avatar image Rob-6761 vipulsparsh-MSFT ·

Thanks. We do have trusted locations configured though, so if a user had a conditional access policy applied that meets a trusted location, will they be blocked when they connect outside of this trusted location?

0 Votes 0 ·
vipulsparsh-MSFT avatar image vipulsparsh-MSFT Rob-6761 ·

Rob-6761, It seems For CAE, we only have insights into named IP-based named locations. We have no insights into other location settings like MFA trusted IPs or country-based locations.

So when user comes from an MFA trusted IP or trusted locations that include MFA Trusted IPs or country location, CAE will not be enforced after user move to a different location. In those cases, we will issue a 1-hour CAE token without instant IP enforcement check.

0 Votes 0 ·