Build resilience by using Continuous Access Evaluation
Continuous Access Evaluation (CAE) allows Azure Active Directory (Azure AD) applications to subscribe to critical events that can then be evaluated and enforced. CAE includes evaluation of the following events:
- User account deleted or disabled
- Password for user changed
- MFA enabled for user
- Administrator explicitly revokes a token
- Elevated user risk detected
As a result, applications can reject unexpired tokens based on the events signaled by Azure AD as depicted in the following diagram.
How does CAE help?
The CAE mechanism allows Azure AD to issue longer-lived tokens while enabling applications to revoke access and force reauthentication only when needed. The net result of this pattern is fewer calls to acquire tokens, which means that the end-to-end flow is more resilient.
To use CAE, both the service and the client must be CAE-capable. Microsoft 365 services such as Exchange Online, Teams, and SharePoint Online support CAE. On the client side, browser-based experiences that use these Office 365 services (such as Outlook Web App) and specific versions of Office 365 native clients are CAE-capable. More Microsoft cloud services will become CAE-capable.
Microsoft is working with the industry to build standards that will allow third party applications to use CAE capability. You can also develop applications that are CAE-capable. For more information about CAE-capable application development, see How to build resilience in your application.
How do I implement CAE?
- Update your code to use CAE-enabled APIs.
- Enable CAE in the Azure AD Security Configuration.
- Ensure that your organization is using compatible versions of Microsoft Office native applications.
- Optimize your reauthentication prompts.
Resilience resources for administrators and architects
- Build resilience with credential management
- Build resilience with device states
- Build resilience in external user authentication
- Build resilience in your hybrid authentication
- Build resilience in application access with Application Proxy