How to Fix: Enable Continuous Access Evaluation
Step-by-step guide to implement enable continuous access evaluation in your Microsoft 365 environment.
Free baseline scan · No credit card · 5 minute setup
15-20 minutes
Estimated Time
4
Steps
medium
Severity
Enhanced Security
Baseline Level
Why This Matters
Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Microsoft Entra ID P1 or higher license
- 4Privileged Role Administrator role
Expected Configuration
- Continuous Access Evaluation (CAE) is enabled for all supported applications
- Critical event evaluation (user disabled, password changed) triggers immediate revocation
- Strict location enforcement is enabled for admin access
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Related Resources
Automate Your Security Configuration
TrueConfig scans your Microsoft 365 environment on a schedule you control and, with safety gates, can fix configuration drift automatically. Start your free trial today.
Start Free Trial