While browsing through the options in my Conditional Access policies I noticed a new session related to Continuous Access Evaluation (CAE). Time for a blogpost on my findings.

Continuous access evaluation allows for a quicker response by forcing an access token refresh in case of a certain events taking place. In October last year I already wrote about Azure AD Continuous access evaluation (CAE) taking a first look at its functionality, so if you want to know more about what Continuous Access Evaluation is exactly I would recommend reading that article first.

The new option that has appeared in Conditional Access, can be found under the session in the Access Controls section.

Session Control options

As you can see from the screenshot, you have the ability to select “Customize continuous access evaluation” and once selected, you have two options. 1) Disable and 2) Strict enforcement.

“Disable” works correctly when “All cloud apps” is selected, and no condition has been chosen. So if you want to disable Continuous Access Evaluation you should explicitly create a conditional access policy targeting all cloud apps, without any condition, so you can only turn it off for every session going through Azure AD Conditional Access.

“Strict enforcement” will disable non-CAE enabled clients. Also, both IP addresses seen by Azure AD and Resource Provider will be evaluated and enforced based on IP location policy.

The CAE enabled clients are: Outlook, Teams, Office, OneDrive (on Web, Win32, iOS, Android and macOS), except for Office on the Web which is not supported. This means that other clients accessing the data will be blocked and that once enabled you cannot work with documents in Office on the web anymore.

Let’s test this, I modified one of my policies to include this new setting set to “Strict enforcement”

When creating a new Word document from the Office portal (https://portal.office.com)

When creating a new Excel document from the Office Portal

I was able to create a new Word on the web document and Excel on the web spreadsheet via the “New” option in OneDrive which can be considered a “workaround” but hopefully Office on the web will be included as a supported client soon.

So, Continuous Access Evaluation is now enabled by default, you can tweak this by disabling Continuous Access Evaluation or by setting Continuous Access evaluation to strict enforcement. Be careful when using the strict option though because it can break the user experience when they are working in Office on the web.

Strict enforcement should only be used in environments where this is a hard requirement, and you can live with the restrictions (hopefully for now).

Continuous access evaluation – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Continuous access evaluation (concept) https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Previous articleAnnouncing #WPNinjasNL Meetup #1, Thursday November 4th – Microsoft Ignite edition
Next articleMFA Authenticator: FOREVER!
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.