Azure Active Directory|Security

Understanding and Exploring Continuous Access Evaluation for Azure Active Directory

Microsoft announced last month the availability of Continuous Access Evaluation (CAE) for Azure Active Directory (Azure AD) users managed by Conditional Access policies. CAE aims to improve the response time in situations where a policy setting that applies to a user changes but the user is able to circumvent the new policy setting because their access token was issued before the policy change. It’s typical that security access tokens issued by Azure AD, like OAuth 2.0 access tokens, are valid for an hour.

Here’s an example. If you disable a user in Azure AD, they can continue to work if they were issued a security token before their account was disabled in the directory. In a worst-case scenario, the user could continue to have access to systems for up to an hour. Reducing the time that security tokens remain valid tends to negatively affect the end-user experience. So, CAE is designed to address the problem.

How does Continuous Access Evaluation work?

Instead of reducing the lifetime of security tokens, CAE facilitates a two-way conversation between Azure AD and applications, like Exchange Online. If an application like Exchange sees that a condition has changed for a user accessing the service, it can inform Azure AD. A user might connect to a network that isn’t permitted under Conditional Access policy, requiring access to Exchange Online to be revoked.

Image #1 Expand
Respond to Changes in Security Policy and Conditions in Real Time with Continuous Access Evaluation Preview for Azure AD (Image Credit: Microsoft)

Similarly, because Continuous Access supports a two-way conversion between the token issuer, Azure AD, and applications, if an account is compromised, disabled, or there is some other issue, Azure AD can inform the application that it should no longer accept the user’s security token. CAE can respond to changes in conditions or user accounts in real-time, but Microsoft says that in some cases a delay of up to 15 minutes could occur because of the way events are propagated.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

But didn’t CAE reach general availability in May 2020 for Microsoft Teams and Exchange Online?

The version of CAE that Microsoft announced back in May was for tenants where no Conditional Access policies had been configured. It supports the following events for the latest versions of Outlook and Teams apps on Windows, iOS, MacOS, and Android without any action from IT:

  • User account is deleted or disabled
  • Password for a user is changed or reset
  • Multifactor authentication (MFA) is enabled for the user
  • Admin explicitly revokes all Refresh Tokens for a user
  • Elevated user risk detected by Azure AD Identity Protection

The preview announced in October 2020 is for Azure AD tenants that have Conditional Access policies already in place.

How to enable the CAE preview?

Because the new CAE preview relies on Azure AD Conditional Access policies, you will need an Azure AD Premium P1 or P2 subscription. If you would like to test out how CAE can terminate user access to Exchange Online, Microsoft Teams, and SharePoint Online when a Conditional Access policy is violated, you need to enable the CAE preview in your Azure AD tenant.

Image #2 Expand
Respond to Changes in Security Policy and Conditions in Real Time with Continuous Access Evaluation Preview for Azure AD (Image Credit: Russell Smith)

To enable the preview, in the Azure management portal, navigate to Azure Active Directory > Security > Continuous access evaluation, check Enable preview and then click Save.

CAE preview limitations

There are some limitations in the public preview. CAE doesn’t support SharePoint Online and Exchange Online services on Android and iOS clients. Office Web Apps don’t support CAE in Exchange Online or SharePoint Online either. Microsoft is planning to bring CAE to Azure and Dynamics at some point in the future.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: