Conditional Access is one of the most powerful tools you can use to protect your Office 365 / Azure AD tenant. From enforcing device compliance to requiring MFA from untrusted locations, the flexibility it offers provides administrators with an extremely flexible and effective identity and access management solution. While Conditional Access has been around a long time now, there are constantly improvements being made to the service, allowing for further customization and flexibility.
One of these new features is Continuous Access Evaluation (CAE). To understand what CAE is, let’s look at how Conditional Access Policies apply by default.
When a user initially authenticates to Azure AD, they are assessed by Conditional Access to ensure they comply with the policies that have been defined for them and that they are enabled for access, for example, they may receive an MFA prompt if they are outside the trusted corporate networks. When all applicable Conditional Access policies are processed successfully, the user receives an Azure AD Access Token and a Refresh Token. The Access Token grants users access to resources for an hour by default. At the end of this hour, the Refresh Token is used to request a new Access Token. At this point, Conditional Access Policies are reassessed to ensure the user is still in compliance and if they are, a new Access Token is granted to the user. Note that this doesn’t mean the user is prompted for MFA a second time after an hour (check out my post on MFA frequency for more information on this).
This is great, but one issue with this process is that when a user is granted and Access Token, they are not reassessed for Conditional Access policies until the time comes to refresh that token.
To help with this issue, Microsoft have released Continuous Access Evaluation (CAE), this feature allows for the reassessment of the users authentication context when particular events occur. With CAE enabled, a user connecting from a CAE supported application will be reassessed when their context changes. These context changes are broken down into two scenarios, Critical Event Evaluation and Conditional Access Policy Evaluation.
The supported scenarios for Critical Event Evaluation are:
- User Account is deleted or disabled
- Password for a user is changed or reset
- Multi-factor authentication is enabled for the user
- Administrator explicitly revokes all refresh tokens for a user
- High user risk detected by Azure AD Identity Protection
Conditional Access Policy Evaluation currently only supports network location changes.
CAE was previously available to enabled in Azure AD tenants by navigating to the Azure AD Portal and opening “Security” -> “Continuous Access Evaluation” and enabling the preview.
Starting from 15/06/21, this setting will be enabled by default. It’s highly recommended that this setting is either enabled in your tenancy before the default is changed or to ensure that it stays disabled, it needs to be enabled and then disabled to overwrite the default values.
For more information on CAE and the supported scenarios, check out the Microsoft Documentation here.