How to Fix: Enable Continuous Access Evaluation
Step-by-step guide to implement enable continuous access evaluation in your Microsoft 365 environment.
30-60 minutes
Estimated Time
4
Steps
critical
Severity
Maximum Security
Baseline Level
Why This Matters
Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Microsoft Entra ID P1 or higher license
- 4Privileged Role Administrator role
Expected Configuration
- Continuous Access Evaluation (CAE) is enabled for all supported applications
- Critical event evaluation (user disabled, password changed) triggers immediate revocation
- Strict location enforcement is enabled for admin access
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial