Enable Continuous Access Evaluation for Professional Services & Consulting

Professional Services & Consulting organizations face specific regulatory requirements including soc2, iso27001, cis. The PA-07 control helps address these requirements by:

• Continuous Access Evaluation (CAE) is enabled for all supported applications
• Critical event evaluation (user disabled, password changed) triggers immediate revocation
• Strict location enforcement is enabled for admin access

Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.

When implementing PA-07 in a professional services & consulting environment, consider:

• **Regulatory requirements**: soc2, iso27001, cis may mandate specific configurations
• **Risk tolerance**: Professional Services & Consulting organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

To implement PA-07 in your Microsoft 365 environment:

• Continuous Access Evaluation (CAE) is enabled for all supported applications
• Critical event evaluation (user disabled, password changed) triggers immediate revocation
• Strict location enforcement is enabled for admin access

This control requires manual implementation through the Entra admin center.