Last Updated on August 9, 2024 by Arnav Sharma
Microsoft released a preview of a continuous access evaluation (CAE) setting for the Entra ID Conditional Access service on Friday, which will enable organisations to enforce location policies for network access rigorously.
The CAE setting, “strictly enforce location policies,” enables a near-real-time access termination when IP addresses do not match based on location, such as when a stolen token is used. CAE, which Microsoft released commercially for Azure Active Directory (now called “Entra ID”) users last year, seeks to address time lags when client-side or service-provider-side service changes occur. CAE is designed to resolve potential security issues following events such as password changes and user location changes.
While CAE already takes location into account, the “strictly enforce location policies” setting appears to have no delay in barring access when a mismatch is detected. In the announcement, Alex Weinert, vice president of identity security at Microsoft, noted that it provides a “near real-time response.”
CAE-enabled applications such as Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events detected by the application, preventing stolen tokens from being replayed outside of the trusted network.
CAE’s “strictly enforce location policies” configuration may appear to be an ideal network security measure, but IT professionals must be highly cautious when configuring it. They must verify the setting to ensure end users are not accidentally blocked.
FAQ:
Q: How can I configure Continuous Access Evaluation (CAE) in Azure?
To configure Continuous Access Evaluation (CAE) in Azure, you can use Microsoft Entra ID and the new conditional access policy wizard. CAE is enabled by default and provides real-time access evaluation by enforcing conditional access policy evaluation based on critical events. If needed, you can customize continuous access evaluation session control or disable CAE entirely. This configuration ensures user access based on allowed location and other administrator-defined policies. For detailed steps, refer to Microsoft documentation or Microsoft Learn.
Q: What is Continuous Access Evaluation (CAE) in Azure AD?
Azure AD Continuous Access Evaluation (CAE) is a feature that allows real-time access evaluation of user sessions. This means that a user’s access to a resource can be immediately revoked when a critical event occurs, such as a policy change event or a change in IP location. CAE works by continuously evaluating whether the access token is still valid. If not, the access is blocked, and a new access token needs to be issued. Continuous access evaluation in Azure AD supports security.
Q: What happens when CAE is disabled in Azure?
When CAE is disabled in Azure, access evaluation does not occur in real-time. This means that a user loses access to the resource only after the access token expires, rather than immediately when a critical event evaluation indicates the need to block access. Disabling CAE might delay policy enforcement and could allow unauthorized access until the current access token is rejected and a new access token is issued. Disable CAE only if necessary, and consider the security implications.
Q: How does CAE affect access to Microsoft 365?
Continuous access evaluation for Microsoft 365 ensures that access to a resource is based on up-to-date information and user access is continuously evaluated. For example, if a user account is flagged due to suspicious activity, CAE may immediately block access to Microsoft 365 services, even if the user access token is still technically valid. This proactive approach helps prevent unauthorized access and ensures access evaluation for Microsoft 365 is aligned with the latest security policies.
Q: How do policy enforcement and CAE work together in Azure?
In Azure, policy enforcement is enhanced by continuous access evaluation. When a new conditional access policy is created or an existing one is modified, CAE ensures that user access to resources is immediately evaluated against the latest policies. If a critical event such as an IP change occurs, the evaluation session control can instantly revoke access, forcing the user to authenticate again based on the new policies.
Q: How can you manage location policies in Microsoft Entra to ensure strict location enforcement?
A: You can manage location policies in Microsoft Entra by using conditional access policies to restrict access based on an administrator-defined policy. This can enforce strict location enforcement, ensuring that users only access resources from specific IP addresses or geographic locations.
Q: What is Azure AD Continuous Access Evaluation (CAE), and how does it enhance security?
A: Azure AD Continuous Access Evaluation (CAE) enhances security by ensuring that users lose access to a resource immediately when a critical event occurs, such as a password change or account disablement. This evaluation is enabled by default in Microsoft Entra and continuously checks the validity of an access token to maintain security compliance.
Q: How do you disable Continuous Access Evaluation (CAE) in Azure for a specific user account?
A: To disable Continuous Access Evaluation (CAE) for a specific user account in Azure, you need to configure the new customize continuous access evaluation settings in the Azure portal. Set the evaluation session control to disabled, ensuring the user loses access based on your defined criteria.