PA-07: Verifying Continuous Access Evaluation Is Enabled
Overview
This guide walks you through verifying and configuring Continuous Access Evaluation (CAE) in your Microsoft Entra ID tenant. CAE enables near real-time enforcement of access policies by allowing services to subscribe to critical events (like user termination, password changes, or location changes) and immediately revoke access rather than waiting for token expiration.
Why This Matters: Traditional token-based authentication relies on token lifetimes (typically 1 hour for access tokens). If a user is terminated or their password is reset, they can continue accessing resources until their token expires. CAE reduces this window from hours to near-instant, significantly limiting the damage a compromised or terminated account can cause.
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Global Administrator, Security Administrator, or Conditional Access Administrator (for viewing and configuration) |
| License Required | Microsoft Entra ID P1 (included with M365 E3/E5, EMS E3/E5) |
| Access | Microsoft Entra admin center |
Time Estimate
15-30 minutes for verification and basic configuration
- Verify CAE status: 5 minutes
- Review and adjust settings: 10-15 minutes
- Testing: 10 minutes
Understanding Continuous Access Evaluation
How CAE Works
Without CAE:
- User signs in and receives access token (valid for ~1 hour)
- User is terminated or password changed
- User continues accessing resources until token expires
- Access revoked only after token lifetime ends
With CAE:
- User signs in and receives CAE-aware token (up to 28 hours)
- User is terminated or password changed
- Microsoft Entra ID pushes critical event to subscribed services
- Service immediately validates token and revokes access
- Access denied within minutes, not hours
Critical Events That Trigger CAE
| Event | What Happens |
|---|---|
| User account disabled | Immediate session revocation |
| User account deleted | Immediate session revocation |
| Password changed | Immediate session revocation |
| Password reset by admin | Immediate session revocation |
| MFA revoked (all sessions) | Immediate session revocation |
| High-risk user detected | Conditional Access policy evaluated |
| Network location change | Conditional Access policy evaluated (if location policies exist) |
CAE-Aware Applications
CAE works with Microsoft services that support it:
| Application | CAE Support |
|---|---|
| Exchange Online | Yes |
| SharePoint Online | Yes |
| OneDrive | Yes |
| Microsoft Teams | Yes |
| Microsoft Graph API | Yes |
| Azure Resource Manager | Limited |
| Third-party apps | No (standard token lifetime applies) |
Step-by-Step Instructions
Step 1: Verify CAE Is Enabled Tenant-Wide
CAE is enabled by default for all tenants with Entra ID P1 or higher. Verify this setting:
- Navigate to entra.microsoft.com
- Go to Protection > Conditional Access > Session
- Under Continuous access evaluation, check the status
The setting should show one of these options:
- Enabled - CAE is fully enabled (recommended)
- Disabled - CAE is turned off (not recommended)
- Strictly enforce location policies - CAE with strict location enforcement
If CAE is Disabled:
- Click Customize continuous access evaluation
- Select Enabled
- Click Save
Step 2: Configure CAE Mode
CAE has two enforcement modes:
| Mode | Behavior | Recommended For |
|---|---|---|
| Default (Enabled) | Services evaluate location claims at their discretion | Most organizations |
| Strictly enforce location policies | All location changes require immediate re-evaluation | High-security environments |
To enable strict location enforcement:
- Go to Protection > Conditional Access > Session
- Click Customize continuous access evaluation
- Select Strictly enforce location policies
- Click Save
Important: Strict enforcement may cause more frequent sign-in prompts for mobile or traveling users. Test thoroughly before enabling in production.
Step 3: Verify CAE in Sign-In Logs
Check that CAE is working correctly:
- Go to Monitoring & health > Sign-in logs
- Click on a recent sign-in for Exchange Online, SharePoint, or Teams
- In the sign-in details, look for:
- Token type: Should show "CAE" or "Primary Refresh Token (CAE)"
- CAE Token: Yes/No indicator
If you don't see CAE tokens:
- Verify the user has P1 license
- Verify the application supports CAE
- Check if CAE is enabled at tenant level
Step 4: Configure Conditional Access Policies for CAE
CAE evaluates Conditional Access policies in real-time. Ensure your policies support this:
Location-based policies:
- Go to Protection > Conditional Access > Named locations
- Verify you have IP-based named locations defined (required for location-aware CAE)
- Create a named location if none exists:
- Click + IP ranges location
- Name:
Corporate Network - Mark as Trusted location
- Add your corporate IP ranges
- Click Create
Review existing policies:
- Go to Conditional Access > Policies
- For each policy using location conditions:
- Open the policy
- Verify Locations condition uses named locations
- Policies using "All locations" won't trigger CAE location events
Step 5: Test CAE Functionality
Test 1: Password Change Revocation
- Sign in to Outlook Web (outlook.office.com) as a test user
- Keep the session open
- In a separate admin session, reset the test user's password:
- Go to Users > [test user] > Reset password
- Within 2-5 minutes, the Outlook session should be invalidated
- User should be prompted to sign in again
Test 2: Account Disable Revocation
- Sign in to SharePoint as a test user
- Keep the session open
- In admin session, disable the test user account:
- Go to Users > [test user] > Properties > Set Account enabled to No
- Within 2-5 minutes, SharePoint access should be revoked
- Re-enable the account after testing
Test 3: Location Change (if strict enforcement enabled)
- Sign in from corporate network
- Verify access to protected resources
- VPN to a different location (or disable VPN)
- Attempt to access resources
- Should prompt for re-authentication
Step 6: Review CAE Audit Events
Monitor CAE activity:
- Go to Monitoring & health > Audit logs
- Filter by Activity: Search for "token"
- Look for events related to:
- Token revocation
- Session invalidation
- CAE challenge events
For more detailed analysis:
- Go to Sign-in logs
- Filter by Status: Failure
- Look for failures with Failure reason related to:
- "CAE challenge required"
- "Session revoked"
- "Token no longer valid"
Step 7: Document CAE Configuration
Create documentation for your security records:
## Continuous Access Evaluation Configuration
**Tenant:** [Your tenant name]
**Verified Date:** [Date]
**Verified By:** [Your name]
### Settings
- CAE Status: Enabled
- Location Enforcement: Default / Strict (circle one)
- Named Locations Configured: Yes / No
### Named Locations (for CAE location awareness)
| Location Name | IP Ranges | Trusted? |
|---------------|-----------|----------|
| Corporate HQ | x.x.x.x/24 | Yes |
| Branch Office | y.y.y.y/24 | Yes |
### Testing Results
- Password change revocation: Passed / Failed
- Account disable revocation: Passed / Failed
- Location change (if strict): Passed / Failed / N/A
### Notes
[Any special configurations or exceptions]
Verification Checklist
- CAE is enabled at the tenant level
- CAE mode is appropriate for organization (Default or Strict)
- Named locations are configured for location-aware policies
- Conditional Access policies are compatible with CAE
- Sign-in logs show CAE tokens for supported applications
- Password change revocation tested and working
- Account disable revocation tested and working
- Location change behavior verified (if using strict mode)
- Documentation updated with CAE configuration
Troubleshooting
"CAE tokens not appearing in sign-in logs"
- Verify user has Entra ID P1 license assigned
- Verify accessing a CAE-supported application (Exchange, SharePoint, Teams)
- Check that CAE is enabled at tenant level
- Wait for token refresh (existing non-CAE tokens persist until expiry)
- Have user sign out and sign in fresh
"Access not revoked after password change"
- Verify CAE is enabled
- Check that the application supports CAE (third-party apps don't)
- Allow up to 5-10 minutes (near real-time, not instant)
- Check sign-in logs for CAE challenge events
- Verify user doesn't have cached offline access
"Users getting too many sign-in prompts"
Common with strict location enforcement:
- Review if strict enforcement is truly needed
- Consider switching to default CAE mode
- Ensure named locations include all legitimate work locations
- Check for IP address changes (mobile carriers, VPN split tunneling)
- Review if location-based CA policies are too restrictive
"CAE not working for specific application"
- Verify application is in the supported list (Exchange, SharePoint, Teams, Graph)
- Third-party applications don't support CAE - this is expected
- For supported apps, check application-specific settings
- Review if app is using cached/offline tokens
"Revocation taking longer than expected"
Normal CAE revocation time:
- Critical events (password change, disable): 2-10 minutes
- Location change: Near-instant to a few minutes
If consistently slow:
- Check Microsoft service health for any ongoing issues
- Verify network connectivity to Microsoft services
- Consider strict enforcement mode for faster location evaluation
Cost Considerations
| Component | Cost Impact |
|---|---|
| Entra ID P1 License | Required. ~$6/user/month standalone, included in M365 E3/E5, EMS E3/E5 |
| CAE Feature | No additional cost beyond P1 licensing |
| Log Analytics (optional) | If using for extended monitoring, standard Azure Monitor pricing applies |
Note: CAE is included with P1 licensing at no additional cost. The main consideration is ensuring all users who need CAE protection have P1 licenses assigned.
CAE Limitations and Considerations
What CAE Does NOT Cover
| Scenario | Reason | Mitigation |
|---|---|---|
| Third-party SaaS apps | Don't support CAE protocol | Use shorter token lifetimes via CA policies |
| Desktop apps with cached tokens | Offline access tokens | Configure offline access policies |
| Mobile apps with refresh tokens | May have cached access | Users may need to re-authenticate |
| Azure Resource Manager (ARM) | Limited CAE support | Use additional controls for Azure management |
Network Considerations
- CAE requires connectivity to Microsoft services
- Events are pushed via secure channels
- Firewall rules should allow Microsoft service endpoints
User Experience Impact
- Users may see more frequent authentication prompts with strict enforcement
- Mobile users on cellular networks may experience more challenges
- VPN users may trigger location re-evaluation
Related Controls
- PA-01: Standing Global Admin - CAE enhances PIM activation security
- PA-05: Phishing-Resistant MFA - CAE works with authentication strength
- PA-03: Emergency Access - Emergency accounts should work regardless of CAE