Enable Continuous Access Evaluation for Education & Research

Education & Research organizations face specific regulatory requirements including cis, nist-800-53, soc2. The PA-07 control helps address these requirements by:

• Continuous Access Evaluation (CAE) is enabled for all supported applications
• Critical event evaluation (user disabled, password changed) triggers immediate revocation
• Strict location enforcement is enabled for admin access

Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.

When implementing PA-07 in a education & research environment, consider:

• **Regulatory requirements**: cis, nist-800-53, soc2 may mandate specific configurations
• **Risk tolerance**: Education & Research organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

To implement PA-07 in your Microsoft 365 environment:

• Continuous Access Evaluation (CAE) is enabled for all supported applications
• Critical event evaluation (user disabled, password changed) triggers immediate revocation
• Strict location enforcement is enabled for admin access

This control requires manual implementation through the Entra admin center.