Updated 20 may 2021:
Microsoft has officially made Continous Access Evaluation public available.
Organizations are struggling when critical access events take in place within Azure AD. In this blog I will describe the benefits and technical steps to work with Continuous access evaluation, also described as CAE.
Please keep in mind that at the time of writing this functionality is still in preview, and works with Exchange Online, SharePoint Online and Teams(only resources) for now.
What is CAE?
CAE provides the next level of identity security by terminating active user sessions to a subset of Microsoft services (Exchange, SharePoint and Teams) in nearly real-time on user changes such as account disabling, password reset, initiated user revocation and Conditional Access policies.
How access tokens work
OAuth 2.0 access tokens are being used when a user authenticates against Azure AD. An example is an Outlook client that connect with Exchange Online. These access tokens are by default valid for one hour. When the token expires, the client is redirected back to Azure AD to refresh the token (also known as access token lifetime). The value of one hour can also be changed via PowerShell.
How can CAE help your organization?
It’s obvious that when a user account gets disabled, you want the user to be disabled instantly instead of waiting before access is revoked. Also, you want a user to re-authenticate as soon as he switches to a non-approved network using the same access token. This is where CAE comes in.
Below are the scenarios described:
- User account is deleted or disabled;
- Password for a user is changed or reset;
- MFA is enabled for the user;
- Admin explicitly revokes all Refresh Tokens for a user;
- Elevated user risk detected by Azure AD Identity Protection.
Benefits of using CAE:
- User session revocation will be enforced in near real time;
- Conditional Access location policies will be enforced in near real time;
- Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.
Start with CAE
When you want to start with CAE, keep in mind that a CAE-capable client is required. Microsoft introduced a new authentication mechanism called “Claim Challenge”. This method indicates if the token was rejected and a new access token needs to be issued by Azure AD. CAE requires a client update to understand the claim challenge. This means that the latest version of the following applications are needed:
- Outlook for Windows, iOS, Android, Mac and Web App;
- Teams for Windows, iOS, Android and Mac (Only for Teams resource);
- Word/Excel/PowerPoint for Windows, iOS, Android and Mac.
How can you enable CAE?
You can enable this preview feature by browsing to the Azure Portal > Click on Azure Active Directory > Security and then you will find the feature “Continuous access evaluation (Preview)”. Now select the users or group(s) you want to enable this feature for.
Now that we have enabled CAE, we can proceed with testing if this feature works as expected.
CAE in action
In my scenario I have created a Conditional Access policy that forces all my users to make use of MFA as soon as they connect with an untrusted location. In the demonstration below you will see that I won’t be asked for an MFA challenge because I am connected with a trusted network. Therefore I use Windscribe as my VPN service to get connected with an untrusted network. As soon as the VPN connection is successful, I am prompted to make use of MFA and that there is more information required.
To work with CAE, it is required that you have at least one Azure AD Premium P1 license.
Limitations of CAE:
Not every scenario is available yet. Microsoft has provided the following table to show you the possibilities:
Continuous access evaluation in Azure AD | Microsoft Docs