News

Continuous Access Evaluation Now Commercially Available for Azure Active Directory Users

• By Kurt Mackie
• 01/10/2022

Microsoft on Monday announced that a continuous access evaluation (CAE) capability in the Azure Active Directory identity and access management service has reached the commercial-release ("general availability") stage.

CAE started as an OpenID Foundation Shared Signals and Events project to better align security events between clients and identity service providers. The idea is to avoid time lags when changes occur on the client or service provider side of things. CAE supposedly permits "real-time enforcement" after things like "account revocation, account disablement/deletion, password change, user location change and user risk increase," per Microsoft's description.

CAE use does involve a time lag, though. It's around 15 minutes, as explained in this Microsoft document.

CAE App Support
Organizations can only use CAE if they are also using CAE-capable client applications. "If you aren't using CAE-capable clients, your default access token lifetime will remain 1 hour," the document explained.

CAE-client capable Microsoft apps include Win32 Outlook, Teams, Office and OneDrive. These apps are supported on other operating system platforms, too, such as Android, iOS and macOS. Office for Web apps aren't supported.

With client support for CAE, it's possible for identity providers to reject a token when it's not yet expired in the cache. Otherwise, there could be a one-hour enforcement lag.

Microsoft online services with CAE support include Exchange Online, SharePoint Online and Microsoft Teams. Office Web apps currently lack support, though. Moreover, OneDrive on Win32 and macOS operating systems aren't supported, per Microsoft's document.

Zero-Trust Session Management
The CAE approach is part of Microsoft's "Azure AD Zero Trust Session Management portfolio," according to Alex Simons, corporate vice president of program management at the Microsoft Identity Division. That statement seemed to be introducing some sort new Microsoft branding approach, identifying the zero trust security approach with Azure AD.

Simons also characterized Microsoft's Azure AD CAE as the first implementation to emerge from among the OpenID Foundation's Shared Signals and Events participants:

With CAE, we have introduced a new concept of Zero Trust authentication session management that is built on the foundation of Zero Trust principles -- Verify Explicitly and Assume Breach. With the Zero Trust approach, the authentication session lifespan now depends on session integrity rather than on a predefined duration. This work is consistent with an industry effort called Shared Signals and Events, and we’re proud to be the first company in the group with a generally available implementation of continuous access!

CAE has now been "auto-enabled" for all Azure AD tenancies, Simons added. Only Azure AD Premium 1 customers can configure it or disable it, though.

The CAE feature shows up for IT pros under the Azure portal's "Session" blade (menu item). Microsoft actually moved it there, and organizations that were using it before under "Security" have to migrate their settings to use its new location, the document explained.

Microsoft had released a preview of the CAE feature for Azure AD Conditional Access service more than a year ago. It was supposed to have reached general availability at the end of 2021, but it maybe slipped schedule a bit.