Services
Summary
The Microsoft 365 admin center will implement continuous access evaluation (CAE) in September 2024, enabling near real-time session termination or reauthentication and enforcing policy changes without waiting for token expiration. This rollout requires no admin action and offers benefits like mitigating insider threats, preventing unauthorized access, and removing user access swiftly.
Details
We will enable continuous access evaluation (CAE) of tokens in the Microsoft 365 admin center in September 2024. This feature will proactively terminate active user or admin sessions, or require reauthentication, and enforce tenant policy changes in near real time instead of waiting for an access token to expire.
When this will happen:
General Availability (Worldwide): We will begin rolling out mid-September 2024 and expect to complete by late September 2024.
How this will affect your organization:
CAE is the feature that allows user or admin sessions to be revoked when certain critical events occur, or the location of the user or admin is not in the allowed IP address range. The access will be terminated almost instantly, instead of waiting for a token to expire.
OAuth 2.0 authentication (open authentication) traditionally relies on access token expiration to revoke a user's access to modern cloud services. Users or admins whose access rights have been terminated still have access to resources until the access token expires. For the Microsoft 365 admin center, this access can be as long as an hour, by default. With continuous access evaluation, a user's critical events and network location changes are continuously evaluated.
Enabling CAE offers several key benefits:
- Mitigate insider and data exfiltration threats: An employee can export a valid access token and replay it to gain access to admin center from outside of your organization. With continuous access evaluation, you can enforce IP location policies and monitor user-critical events in near real time to mitigate the risk of external access and exfiltration of data.
- Prevent unauthorized access: When a user account password is compromised, the Microsoft Entra administrator can reset it or disable the account in near real time to prevent unauthorized access to admin center.
- Remove user access in near real time: Organizations have an obligation to instantly remove an admin or user's access because of security threats, termination of employment, policy violations, or legal requirements. With continuous access evaluation, the Microsoft Entra administrator can instantly disable admin or user accounts and revoke access to organization resources in near real time.
What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation.
Learn more: Continuous access evaluation in Microsoft Entra - Microsoft Entra ID | Microsoft Learn
CAE will be supported in Microsoft 365 admin center. To take advantage of CAE’s IP location conditional access (CA) policy enforcement, you should set up Continuous access evaluation strict location enforcement in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn