PA-07HighMaximum Security

Enable Continuous Access Evaluation

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Continuous Access Evaluation (CAE) is enabled for all supported applications
2Critical event evaluation (user disabled, password changed) triggers immediate revocation
3Strict location enforcement is enabled for admin access

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

CAE is enabled by default for supported apps; requires verification

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.