PA-07: Enable Continuous Access Evaluation
Frequently asked questions about implementing and managing the PA-07 security control in Microsoft 365 and Entra ID.
QWhat is PA-07 (Enable Continuous Access Evaluation)?▼
PA-07 is a security control that standard oauth tokens are valid for 60-90 minutes. if an admin is compromised and you disable their account, the attacker still has that time window. cae revokes access within seconds of critical events. It requires that continuous access evaluation (cae) is enabled for all supported applications and critical event evaluation (user disabled, password changed) triggers immediate revocation, strict location enforcement is enabled for admin access.
QWhy is Enable Continuous Access Evaluation important for Microsoft 365 security?▼
Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.
QHow do I implement PA-07 in my tenant?▼
PA-07 requires manual implementation. CAE is enabled by default for supported apps; requires verification
QWhat license do I need for PA-07?▼
This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.
QWhich security baseline includes PA-07?▼
PA-07 is included in the Maximum Security baseline (Level 3). This level is designed for high-security environments and regulated industries.
QWhy is PA-07 marked as critical severity?▼
PA-07 is rated critical because failure to implement this control significantly increases the risk of security incidents. Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial