Understanding and Exploring Continuous Access Evaluation for Azure Active Directory

Microsoft announced last month the availability of Continuous Access Evaluation (CAE) for Azure Active Directory (Azure AD) users managed by Conditional Access policies. CAE aims to improve the response time in situations where a policy setting that applies to a user changes but the user is able to circumvent the new policy setting because their access token was issued before the policy change. It’s typical that security access tokens issued by Azure AD, like OAuth 2.0 access tokens, are valid for an hour.

Here’s an example. If you disable a user in Azure AD, they can continue to work if they were issued a security token before their account was disabled in the directory. In a worst-case scenario, the user could continue to have access to systems for up to an hour. Reducing the time that security tokens remain valid tends to negatively affect the end-user experience. So, CAE is designed to address the problem.

How does Continuous Access Evaluation work?

Instead of reducing the lifetime of security tokens, CAE facilitates a two-way conversation between Azure AD and applications, like Exchange Online. If an application like Exchange sees that a condition has changed for a user accessing the service, it can inform Azure AD. A user might connect to a network that isn’t permitted under Conditional Access policy, requiring access to Exchange Online to be revoked.

Image #1 Expand

Similarly, because Continuous Access supports a two-way conversion between the token issuer, Azure AD, and applications, if an account is compromised, disabled, or there is some other issue, Azure AD can inform the application that it should no longer accept the user’s security token. CAE can respond to changes in conditions or user accounts in real-time, but Microsoft says that in some cases a delay of up to 15 minutes could occur because of the way events are propagated.

But didn’t CAE reach general availability in May 2020 for Microsoft Teams and Exchange Online?

The version of CAE that Microsoft announced back in May was for tenants where no Conditional Access policies had been configured. It supports the following events for the latest versions of Outlook and Teams apps on Windows, iOS, MacOS, and Android without any action from IT:

• User account is deleted or disabled
• Password for a user is changed or reset
• Multifactor authentication (MFA) is enabled for the user
• Admin explicitly revokes all Refresh Tokens for a user
• Elevated user risk detected by Azure AD Identity Protection

The preview announced in October 2020 is for Azure AD tenants that have Conditional Access policies already in place.

How to enable the CAE preview?

Because the new CAE preview relies on Azure AD Conditional Access policies, you will need an Azure AD Premium P1 or P2 subscription. If you would like to test out how CAE can terminate user access to Exchange Online, Microsoft Teams, and SharePoint Online when a Conditional Access policy is violated, you need to enable the CAE preview in your Azure AD tenant.

Image #2 Expand

To enable the preview, in the Azure management portal, navigate to Azure Active Directory > Security > Continuous access evaluation, check Enable preview and then click Save.

CAE preview limitations

There are some limitations in the public preview. CAE doesn’t support SharePoint Online and Exchange Online services on Android and iOS clients. Office Web Apps don’t support CAE in Exchange Online or SharePoint Online either. Microsoft is planning to bring CAE to Azure and Dynamics at some point in the future.