Understanding and Exploring Continuous Access Evaluation for Azure Active Directory
Microsoft announced last month the availability of Continuous Access Evaluation (CAE) for Azure Active Directory (Azure AD) users managed by Conditional Access policies. CAE aims to improve the response time in situations where a policy setting that applies to a user changes but the user is able to circumvent the new policy setting because their access token was issued before the policy change. It’s typical that security access tokens issued by Azure AD, like OAuth 2.0 access tokens, are valid for an hour.
Here’s an example. If you disable a user in Azure AD, they can continue to work if they were issued a security token before their account was disabled in the directory. In a worst-case scenario, the user could continue to have access to systems for up to an hour. Reducing the time that security tokens remain valid tends to negatively affect the end-user experience. So, CAE is designed to address the problem.
How does Continuous Access Evaluation work?
Instead of reducing the lifetime of security tokens, CAE facilitates a two-way conversation between Azure AD and applications, like Exchange Online. If an application like Exchange sees that a condition has changed for a user accessing the service, it can inform Azure AD. A user might connect to a network that isn’t permitted under Conditional Access policy, requiring access to Exchange Online to be revoked.
Similarly, because Continuous Access supports a two-way conversion between the token issuer, Azure AD, and applications, if an account is compromised, disabled, or there is some other issue, Azure AD can inform the application that it should no longer accept the user’s security token. CAE can respond to changes in conditions or user accounts in real-time, but Microsoft says that in some cases a delay of up to 15 minutes could occur because of the way events are propagated.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.
But didn’t CAE reach general availability in May 2020 for Microsoft Teams and Exchange Online?
The version of CAE that Microsoft announced back in May was for tenants where no Conditional Access policies had been configured. It supports the following events for the latest versions of Outlook and Teams apps on Windows, iOS, MacOS, and Android without any action from IT:
- User account is deleted or disabled
- Password for a user is changed or reset
- Multifactor authentication (MFA) is enabled for the user
- Admin explicitly revokes all Refresh Tokens for a user
- Elevated user risk detected by Azure AD Identity Protection
The preview announced in October 2020 is for Azure AD tenants that have Conditional Access policies already in place.
How to enable the CAE preview?
Because the new CAE preview relies on Azure AD Conditional Access policies, you will need an Azure AD Premium P1 or P2 subscription. If you would like to test out how CAE can terminate user access to Exchange Online, Microsoft Teams, and SharePoint Online when a Conditional Access policy is violated, you need to enable the CAE preview in your Azure AD tenant.
To enable the preview, in the Azure management portal, navigate to Azure Active Directory > Security > Continuous access evaluation, check Enable preview and then click Save.
CAE preview limitations
There are some limitations in the public preview. CAE doesn’t support SharePoint Online and Exchange Online services on Android and iOS clients. Office Web Apps don’t support CAE in Exchange Online or SharePoint Online either. Microsoft is planning to bring CAE to Azure and Dynamics at some point in the future.