Continuous access evaluation for workload identities
Continuous access evaluation (CAE) for workload identities provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities.
Continuous access evaluation doesn't currently support managed identities.
Scope of support
Continuous access evaluation for workload identities is supported only on access requests sent to Microsoft Graph as a resource provider. More resource providers will be added over time.
Service principals for line of business (LOB) applications are supported.
We support the following revocation events:
- Service principal disable
- Service principal delete
- High service principal risk as detected by Microsoft Entra ID Protection
Continuous access evaluation for workload identities supports Conditional Access policies that target location and risk.
Enable your application
Developers can opt in to Continuous access evaluation for workload identities when their API requests xms_cc as an optional claim. The xms_cc claim with a value of cp1 in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. For more information about how to make this work in your application, see the article, Claims challenges, claims requests, and client capabilities.
Disable
In order to opt out, don't send the xms_cc claim with a value of cp1.
Organizations who have Microsoft Entra ID P1 or P2 can create a Conditional Access policy to disable continuous access evaluation applied to specific workload identities as an immediate stop-gap measure.
Troubleshooting
When a client’s access to a resource is blocked due to CAE being triggered, the client’s session is revoked, and the client needs to reauthenticate. This behavior can be verified in the sign-in logs.
The following steps detail how an admin can verify sign in activity in the sign-in logs:
- Sign in to the Microsoft Entra admin center as at least a Security Reader.
- Browse to Identity > Monitoring & health > Sign-in logs > Service Principal Sign-ins. You can use filters to ease the debugging process.
- To see activity details, select an entry. The Continuous access evaluation field indicates whether a CAE token was issued in a particular sign-in attempt.
Related content
- Register an application with Microsoft Entra ID and create a service principal
- How to use Continuous Access Evaluation enabled APIs in your applications
- Sample application using continuous access evaluation
- Securing workload identities with Microsoft Entra ID Protection
- What is continuous access evaluation?
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for