
close
close
Microsoft announced last month the availability of Continuous Access Evaluation (CAE) for Azure Active Directory (Azure AD) users managed by Conditional Access policies. CAE aims to improve the response time in situations where a policy setting that applies to a user changes but the user is able to circumvent the new policy setting because their access token was issued before the policy change. It’s typical that security access tokens issued by Azure AD, like OAuth 2.0 access tokens, are valid for an hour.
Here’s an example. If you disable a user in Azure AD, they can continue to work if they were issued a security token before their account was disabled in the directory. In a worst-case scenario, the user could continue to have access to systems for up to an hour. Reducing the time that security tokens remain valid tends to negatively affect the end-user experience. So, CAE is designed to address the problem.
advertisment
Instead of reducing the lifetime of security tokens, CAE facilitates a two-way conversation between Azure AD and applications, like Exchange Online. If an application like Exchange sees that a condition has changed for a user accessing the service, it can inform Azure AD. A user might connect to a network that isn’t permitted under Conditional Access policy, requiring access to Exchange Online to be revoked.
Similarly, because Continuous Access supports a two-way conversion between the token issuer, Azure AD, and applications, if an account is compromised, disabled, or there is some other issue, Azure AD can inform the application that it should no longer accept the user’s security token. CAE can respond to changes in conditions or user accounts in real-time, but Microsoft says that in some cases a delay of up to 15 minutes could occur because of the way events are propagated.
The version of CAE that Microsoft announced back in May was for tenants where no Conditional Access policies had been configured. It supports the following events for the latest versions of Outlook and Teams apps on Windows, iOS, MacOS, and Android without any action from IT:
The preview announced in October 2020 is for Azure AD tenants that have Conditional Access policies already in place.
advertisment
Because the new CAE preview relies on Azure AD Conditional Access policies, you will need an Azure AD Premium P1 or P2 subscription. If you would like to test out how CAE can terminate user access to Exchange Online, Microsoft Teams, and SharePoint Online when a Conditional Access policy is violated, you need to enable the CAE preview in your Azure AD tenant.
To enable the preview, in the Azure management portal, navigate to Azure Active Directory > Security > Continuous access evaluation, check Enable preview and then click Save.
There are some limitations in the public preview. CAE doesn’t support SharePoint Online and Exchange Online services on Android and iOS clients. Office Web Apps don’t support CAE in Exchange Online or SharePoint Online either. Microsoft is planning to bring CAE to Azure and Dynamics at some point in the future.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group