Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Azure Active Directory|Security

Understanding and Exploring Continuous Access Evaluation for Azure Active Directory

Microsoft announced last month the availability of Continuous Access Evaluation (CAE) for Azure Active Directory (Azure AD) users managed by Conditional Access policies. CAE aims to improve the response time in situations where a policy setting that applies to a user changes but the user is able to circumvent the new policy setting because their access token was issued before the policy change. It’s typical that security access tokens issued by Azure AD, like OAuth 2.0 access tokens, are valid for an hour.

Here’s an example. If you disable a user in Azure AD, they can continue to work if they were issued a security token before their account was disabled in the directory. In a worst-case scenario, the user could continue to have access to systems for up to an hour. Reducing the time that security tokens remain valid tends to negatively affect the end-user experience. So, CAE is designed to address the problem.

How does Continuous Access Evaluation work?

Instead of reducing the lifetime of security tokens, CAE facilitates a two-way conversation between Azure AD and applications, like Exchange Online. If an application like Exchange sees that a condition has changed for a user accessing the service, it can inform Azure AD. A user might connect to a network that isn’t permitted under Conditional Access policy, requiring access to Exchange Online to be revoked.

Image #1 Expand
Respond to Changes in Security Policy and Conditions in Real Time with Continuous Access Evaluation Preview for Azure AD (Image Credit: Microsoft)

Similarly, because Continuous Access supports a two-way conversion between the token issuer, Azure AD, and applications, if an account is compromised, disabled, or there is some other issue, Azure AD can inform the application that it should no longer accept the user’s security token. CAE can respond to changes in conditions or user accounts in real-time, but Microsoft says that in some cases a delay of up to 15 minutes could occur because of the way events are propagated.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

But didn’t CAE reach general availability in May 2020 for Microsoft Teams and Exchange Online?

The version of CAE that Microsoft announced back in May was for tenants where no Conditional Access policies had been configured. It supports the following events for the latest versions of Outlook and Teams apps on Windows, iOS, MacOS, and Android without any action from IT:

  • User account is deleted or disabled
  • Password for a user is changed or reset
  • Multifactor authentication (MFA) is enabled for the user
  • Admin explicitly revokes all Refresh Tokens for a user
  • Elevated user risk detected by Azure AD Identity Protection

The preview announced in October 2020 is for Azure AD tenants that have Conditional Access policies already in place.

How to enable the CAE preview?

Because the new CAE preview relies on Azure AD Conditional Access policies, you will need an Azure AD Premium P1 or P2 subscription. If you would like to test out how CAE can terminate user access to Exchange Online, Microsoft Teams, and SharePoint Online when a Conditional Access policy is violated, you need to enable the CAE preview in your Azure AD tenant.

Image #2 Expand
Respond to Changes in Security Policy and Conditions in Real Time with Continuous Access Evaluation Preview for Azure AD (Image Credit: Russell Smith)

To enable the preview, in the Azure management portal, navigate to Azure Active Directory > Security > Continuous access evaluation, check Enable preview and then click Save.

CAE preview limitations

There are some limitations in the public preview. CAE doesn’t support SharePoint Online and Exchange Online services on Android and iOS clients. Office Web Apps don’t support CAE in Exchange Online or SharePoint Online either. Microsoft is planning to bring CAE to Azure and Dynamics at some point in the future.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By