Continuous Access Evaluation (CAE) in Azure AD (GA)

Microsoft has just announced (January 2022) the General Availability of Continuous Access Evaluation as part of the Azure AD Zero Trust management portfolio.

What is Continuous Access Evaluation?

In short: continuous access evaluation allows for a quicker response by forcing an access token refresh in case of a certain events taking place, which forces the user to be logged out on all supported applications. This happens on the following events:

  • User Account is deleted or disabled
  • Password for a user is changed or reset
  • Multi-factor authentication is enabled for the user
  • Administrator explicitly revokes all refresh tokens for a user
  • High user risk detected by Azure AD Identity Protection

This process makes it possible to block access to Exchange Online, Sharepoint, OneDrive and Teams within minutes after one of the above events.

Client-side claim challenge

Before continuous access evaluation, clients would replay the access token from its cache as long as it hadn’t expired. With CAE, a resource provider can reject a token when it isn’t expired. To inform clients to bypass their cache even though the cached tokens haven’t expired, there is a new mechanism called claim challenge to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:

WebWin32iOSAndroidMac
OutlookSupportedSupportedSupportedSupportedSupported
TeamsSupportedSupportedSupportedSupportedSupported
OfficeNot SupportedSupportedSupportedSupportedSupported
OneDriveSupportedSupportedSupportedSupportedSupported

If you aren’t using CAE-capable clients, your default access token lifetime will remain 1 hour. The default only changes if you configured your access token lifetime with the Configurable Token Lifetime (CTL) preview feature.

User revocation event flow

  1. A CAE-capable client presents credentials or a refresh token to Azure AD asking for an access token for some resource.
  2. An access token is returned along with other artifacts to the client.
  3. An Administrator explicitly revokes all refresh tokens for the user. A revocation event will be sent to the resource provider from Azure AD.
  4. An access token is presented to the resource provider. The resource provider evaluates the validity of the token and checks whether there’s any revocation event for the user. The resource provider uses this information to decide to grant access to the resource or not.
  5. In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client.
  6. The CAE-capable client understands the 401+ claim challenge. It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. Azure AD will then reevaluate all the conditions and prompt the user to reauthenticate in this case.

Enable / Disable Continuous Access Evaluation

By default, if you have Azure AD Premium license, continuous access evaluation is enabled. You can disabled it by creating a conditional access policy

Resources:

Continuous Access Evaluation in Azure AD is now generally available! – Microsoft Tech Community

Session controls in Conditional Access policy – Azure Active Directory | Microsoft Docs

Add a Comment

Your email address will not be published.