Azure AD – Continuous access evaluation is now in preview to improve Conditional Access evaluation

As you know you can implement Conditional Access on Azure Active Directory to determine conditions of access to applications published through Azure AD.

You may also already know that Conditional Access evaluation may be delayed because authentication token obtained previously by the client is not yet expired. This means when a connection condition change it may take some time to be evaluated again by Conditional Access.

Well, this time is going to be over with the new Continuous Access Evaluation feature currently in preview.

With the Continuous Access Evaluation any connection condition changes will evaluated again almost in real time – there still could be some delay up to 15 min because of back end event propagation.

At this stage, the Continuous Access Evaluation is focusing on Exchange Online, Teams and SharePoint Online with the below list of events being evaluated:

  • User Account is deleted or disabled
  • Password for a user is changed or reset
  • Multi-factor authentication is enabled for the user
  • Administrator explicitly revokes all refresh tokens for a user
  • Elevated user risk detected by Azure AD Identity Protection

Before continuous access evaluation, clients would always try to replay the access token from its cache as long as it was not expired. With Continuous Access Evaluation, a new case has been introduced allowing a resource provider to reject a token even when it is not expired. In order to inform clients to bypass their cache even though the cached tokens have not expired, a new mechanism called claim challenge has been introduced to indicate that the token was rejected and a new access token need to be issued by Azure AD. Continuous Access Evaluation requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:

  • Outlook Windows
  • Outlook iOS
  • Outlook Android
  • Outlook Mac
  • Outlook Web App
  • Teams for Windows (Only for Teams resource)
  • Teams iOS (Only for Teams resource)
  • Teams Android (Only for Teams resource)
  • Teams Mac (Only for Teams resource)
  • Word/Excel/PowerPoint for Windows
  • Word/Excel/PowerPoint for iOS
  • Word/Excel/PowerPoint for Android
  • Word/Excel/PowerPoint for Mac

If you want to enable this new capability, logon to your Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com/) and access the Azure Active Directory blade

image_thumb[1]  image_thumb[2]

Once in your Azure AD blade, access the SecurityContinuous access evaluation blade and then turn on the feature and select to which users/groups this will apply – default is set to all users/groups

image_thumb[5]