Ok, so any organisation with Azure AD Premium or EMS licensing could have enabled Continuous Access Evaluation and have been able to do so since its release to public preview in October 2020. Microsoft are now enabling this by default, beginning on the 15 June 2021 in all tenants with Azure AD Premium, which of course includes those with Enterprise Mobility and Security Licensing. This roll-out will continue until 30 September 2021.
“Great! But what does this mean?” I hear you ask...
So let us explain.
Each time you launch Outlook, and it connects to your email, for example, your connection is authenticated with Azure AD using OATH 2.0 access tokens. Once successfully authenticated, you are issued a token. Usually, this token has a one hour expiry time limit and once it expires, Outlook is redirected back to Azure AD for authentication and the token is refreshed.
All this happens in the background and users are unaware of this continuous check for authentication. This is also used as an opportunity to recheck the user’s authorisation to access the services they are accessing.
Microsoft tried to address concerns around the lag between a change in conditions for the user, like network location, credential theft or a policy change by trailing a reduced token lifetime but this created a degraded end user experience, reliability issues and did not actually remove the risks.
Enter Continuous Access Evaluation or CAE for short ( - everybody loves an acronym). How this changes the authentication and authorisation process requires a slightly different approach. It requires Azure AD (token issuer) to communicate directly with the service (relying party), and in our case above, Exchange Online. This two-way communication between the two parties can react to changes quicker, as the token issuer can advise the relying party to no longer trust the token for a user and it can then stop the communication to the client. Or the relying party can tell the token issuer of a change in circumstances, like a new network location.
With this change in process and by enabling this communication, Microsoft have managed to reduce the response time to near real time. They do advise that latency in some instances may be up to 15 minutes due to propagation time.
Currently this will only be rolling out across Exchange, Teams and SharePoint Online and this does also require a connection from a Continuous Access Evaluation capable client. Microsoft have also opened the API to CAE to allow developers to build their applications to support this process.
Real World Scenarios
As well as the example regarding your end user’s connection to Exchange Online using Outlook, a couple of other real-world scenarios would be if a user’s account is disabled, or their password is changed or reset. The user’s access to corporate resources will be enforced in near real time. This reduces the insider risk. The diagram below shows the authorisation process for your colleagues connecting to Microsoft 365 resources using Continuous Access Evaluation capable clients like Outlook.
If your Conditional Access polices utilise a network location to enforce restrictions or a particular location allows for a bypass to policies. A change in an end users network location, could have significant impact in the resources that they should be able to access. With CAE in place, Conditional Access will re-evaluate the signals of the user including their new location and enforce the required policies. The diagram below shows the process for CAE through Conditional Access.
What if I want to turn it on now?
Yes, this is still an option. You can easily enable, or disable, this feature from the Azure Portal. The screenshot below shows you where to find the configuration for this feature in your Azure portal.
Fancy a deep dive? You can read more from Microsoft on Conditional Access Evaluation here.