PA-07: Verifying Continuous Access Evaluation Is Enabled

Overview

This guide walks you through verifying and configuring Continuous Access Evaluation (CAE) in your Microsoft Entra ID tenant. CAE enables near real-time enforcement of access policies by allowing services to subscribe to critical events (like user termination, password changes, or location changes) and immediately revoke access rather than waiting for token expiration.

Why This Matters: Traditional token-based authentication relies on token lifetimes (typically 1 hour for access tokens). If a user is terminated or their password is reset, they can continue accessing resources until their token expires. CAE reduces this window from hours to near-instant, significantly limiting the damage a compromised or terminated account can cause.

Prerequisites

RequirementDetails
Role RequiredGlobal Administrator, Security Administrator, or Conditional Access Administrator (for viewing and configuration)
License RequiredMicrosoft Entra ID P1 (included with M365 E3/E5, EMS E3/E5)
AccessMicrosoft Entra admin center

Time Estimate

15-30 minutes for verification and basic configuration

  • Verify CAE status: 5 minutes
  • Review and adjust settings: 10-15 minutes
  • Testing: 10 minutes

Understanding Continuous Access Evaluation

How CAE Works

Without CAE:

  1. User signs in and receives access token (valid for ~1 hour)
  2. User is terminated or password changed
  3. User continues accessing resources until token expires
  4. Access revoked only after token lifetime ends

With CAE:

  1. User signs in and receives CAE-aware token (up to 28 hours)
  2. User is terminated or password changed
  3. Microsoft Entra ID pushes critical event to subscribed services
  4. Service immediately validates token and revokes access
  5. Access denied within minutes, not hours

Critical Events That Trigger CAE

EventWhat Happens
User account disabledImmediate session revocation
User account deletedImmediate session revocation
Password changedImmediate session revocation
Password reset by adminImmediate session revocation
MFA revoked (all sessions)Immediate session revocation
High-risk user detectedConditional Access policy evaluated
Network location changeConditional Access policy evaluated (if location policies exist)

CAE-Aware Applications

CAE works with Microsoft services that support it:

ApplicationCAE Support
Exchange OnlineYes
SharePoint OnlineYes
OneDriveYes
Microsoft TeamsYes
Microsoft Graph APIYes
Azure Resource ManagerLimited
Third-party appsNo (standard token lifetime applies)

Step-by-Step Instructions

Step 1: Verify CAE Is Enabled Tenant-Wide

CAE is enabled by default for all tenants with Entra ID P1 or higher. Verify this setting:

  1. Navigate to entra.microsoft.com
  2. Go to Protection > Conditional Access > Session
  3. Under Continuous access evaluation, check the status

The setting should show one of these options:

  • Enabled - CAE is fully enabled (recommended)
  • Disabled - CAE is turned off (not recommended)
  • Strictly enforce location policies - CAE with strict location enforcement

If CAE is Disabled:

  1. Click Customize continuous access evaluation
  2. Select Enabled
  3. Click Save

Step 2: Configure CAE Mode

CAE has two enforcement modes:

ModeBehaviorRecommended For
Default (Enabled)Services evaluate location claims at their discretionMost organizations
Strictly enforce location policiesAll location changes require immediate re-evaluationHigh-security environments

To enable strict location enforcement:

  1. Go to Protection > Conditional Access > Session
  2. Click Customize continuous access evaluation
  3. Select Strictly enforce location policies
  4. Click Save

Important: Strict enforcement may cause more frequent sign-in prompts for mobile or traveling users. Test thoroughly before enabling in production.

Step 3: Verify CAE in Sign-In Logs

Check that CAE is working correctly:

  1. Go to Monitoring & health > Sign-in logs
  2. Click on a recent sign-in for Exchange Online, SharePoint, or Teams
  3. In the sign-in details, look for:
    • Token type: Should show "CAE" or "Primary Refresh Token (CAE)"
    • CAE Token: Yes/No indicator

If you don't see CAE tokens:

  • Verify the user has P1 license
  • Verify the application supports CAE
  • Check if CAE is enabled at tenant level

Step 4: Configure Conditional Access Policies for CAE

CAE evaluates Conditional Access policies in real-time. Ensure your policies support this:

Location-based policies:

  1. Go to Protection > Conditional Access > Named locations
  2. Verify you have IP-based named locations defined (required for location-aware CAE)
  3. Create a named location if none exists:
    • Click + IP ranges location
    • Name: Corporate Network
    • Mark as Trusted location
    • Add your corporate IP ranges
    • Click Create

Review existing policies:

  1. Go to Conditional Access > Policies
  2. For each policy using location conditions:
    • Open the policy
    • Verify Locations condition uses named locations
    • Policies using "All locations" won't trigger CAE location events

Step 5: Test CAE Functionality

Test 1: Password Change Revocation

  1. Sign in to Outlook Web (outlook.office.com) as a test user
  2. Keep the session open
  3. In a separate admin session, reset the test user's password:
    • Go to Users > [test user] > Reset password
  4. Within 2-5 minutes, the Outlook session should be invalidated
  5. User should be prompted to sign in again

Test 2: Account Disable Revocation

  1. Sign in to SharePoint as a test user
  2. Keep the session open
  3. In admin session, disable the test user account:
    • Go to Users > [test user] > Properties > Set Account enabled to No
  4. Within 2-5 minutes, SharePoint access should be revoked
  5. Re-enable the account after testing

Test 3: Location Change (if strict enforcement enabled)

  1. Sign in from corporate network
  2. Verify access to protected resources
  3. VPN to a different location (or disable VPN)
  4. Attempt to access resources
  5. Should prompt for re-authentication

Step 6: Review CAE Audit Events

Monitor CAE activity:

  1. Go to Monitoring & health > Audit logs
  2. Filter by Activity: Search for "token"
  3. Look for events related to:
    • Token revocation
    • Session invalidation
    • CAE challenge events

For more detailed analysis:

  1. Go to Sign-in logs
  2. Filter by Status: Failure
  3. Look for failures with Failure reason related to:
    • "CAE challenge required"
    • "Session revoked"
    • "Token no longer valid"

Step 7: Document CAE Configuration

Create documentation for your security records:

## Continuous Access Evaluation Configuration

**Tenant:** [Your tenant name]
**Verified Date:** [Date]
**Verified By:** [Your name]

### Settings
- CAE Status: Enabled
- Location Enforcement: Default / Strict (circle one)
- Named Locations Configured: Yes / No

### Named Locations (for CAE location awareness)
| Location Name | IP Ranges | Trusted? |
|---------------|-----------|----------|
| Corporate HQ | x.x.x.x/24 | Yes |
| Branch Office | y.y.y.y/24 | Yes |

### Testing Results
- Password change revocation: Passed / Failed
- Account disable revocation: Passed / Failed
- Location change (if strict): Passed / Failed / N/A

### Notes
[Any special configurations or exceptions]

Verification Checklist

  • CAE is enabled at the tenant level
  • CAE mode is appropriate for organization (Default or Strict)
  • Named locations are configured for location-aware policies
  • Conditional Access policies are compatible with CAE
  • Sign-in logs show CAE tokens for supported applications
  • Password change revocation tested and working
  • Account disable revocation tested and working
  • Location change behavior verified (if using strict mode)
  • Documentation updated with CAE configuration

Troubleshooting

"CAE tokens not appearing in sign-in logs"

  1. Verify user has Entra ID P1 license assigned
  2. Verify accessing a CAE-supported application (Exchange, SharePoint, Teams)
  3. Check that CAE is enabled at tenant level
  4. Wait for token refresh (existing non-CAE tokens persist until expiry)
  5. Have user sign out and sign in fresh

"Access not revoked after password change"

  1. Verify CAE is enabled
  2. Check that the application supports CAE (third-party apps don't)
  3. Allow up to 5-10 minutes (near real-time, not instant)
  4. Check sign-in logs for CAE challenge events
  5. Verify user doesn't have cached offline access

"Users getting too many sign-in prompts"

Common with strict location enforcement:

  1. Review if strict enforcement is truly needed
  2. Consider switching to default CAE mode
  3. Ensure named locations include all legitimate work locations
  4. Check for IP address changes (mobile carriers, VPN split tunneling)
  5. Review if location-based CA policies are too restrictive

"CAE not working for specific application"

  1. Verify application is in the supported list (Exchange, SharePoint, Teams, Graph)
  2. Third-party applications don't support CAE - this is expected
  3. For supported apps, check application-specific settings
  4. Review if app is using cached/offline tokens

"Revocation taking longer than expected"

Normal CAE revocation time:

  • Critical events (password change, disable): 2-10 minutes
  • Location change: Near-instant to a few minutes

If consistently slow:

  1. Check Microsoft service health for any ongoing issues
  2. Verify network connectivity to Microsoft services
  3. Consider strict enforcement mode for faster location evaluation

Cost Considerations

ComponentCost Impact
Entra ID P1 LicenseRequired. ~$6/user/month standalone, included in M365 E3/E5, EMS E3/E5
CAE FeatureNo additional cost beyond P1 licensing
Log Analytics (optional)If using for extended monitoring, standard Azure Monitor pricing applies

Note: CAE is included with P1 licensing at no additional cost. The main consideration is ensuring all users who need CAE protection have P1 licenses assigned.

CAE Limitations and Considerations

What CAE Does NOT Cover

ScenarioReasonMitigation
Third-party SaaS appsDon't support CAE protocolUse shorter token lifetimes via CA policies
Desktop apps with cached tokensOffline access tokensConfigure offline access policies
Mobile apps with refresh tokensMay have cached accessUsers may need to re-authenticate
Azure Resource Manager (ARM)Limited CAE supportUse additional controls for Azure management

Network Considerations

  • CAE requires connectivity to Microsoft services
  • Events are pushed via secure channels
  • Firewall rules should allow Microsoft service endpoints

User Experience Impact

  • Users may see more frequent authentication prompts with strict enforcement
  • Mobile users on cellular networks may experience more challenges
  • VPN users may trigger location re-evaluation

Related Controls

Additional Resources