Blog Post

Core Infrastructure and Security Blog
3 MIN READ

Entra ID Continuous Access Evaluation unfold

Farooque's avatar
Farooque
Icon for Microsoft rankMicrosoft
Dec 23, 2024

I am Farooque Mohammad, and I have been working with Microsoft for the last 6.5 years. I primarily work on Identity & Security. This is my first blog, and I want to dive into Entra ID Continuous Access Evaluation (CAE), a security feature that helps protect resources on Entra ID.

 

Assume a client wants to access a resource or an application. It requires authentication to receive two tokens: Refresh and Access. The Refresh Token is valid for up to 14 days or more, while the Access Token lasts for 60 to 90 minutes. The client must obtain a new Access Token approximately every hour using the Refresh Token.

 

Now, what happens if the Access Token is compromised or stolen? It will remain valid for an hour, providing an attacker ample time to stay active in the system. In such cases, we need a mechanism to invalidate or revoke it when a critical event occurs. For example:

  • User password is changed or reset.
  • User account is disabled or deleted.
  • Location changes.
  • MFA is enabled for the user.
  • The user’s token is explicitly revoked.
  • A high user risk is detected via Entra ID Protection.

When one of these critical events is triggered, Entra ID sends a revocation event to the application or resource. This invalidates the current token and prompts the application or resource to respond with a 401 challenge, requesting the client to authenticate again. The client sends its Refresh Token along with the challenge to obtain a new Access Token, which is issued by Entra ID. This process ensures that, within 15 minutes of a critical event, the compromised token is replaced with a new one.

 

It is important to note that both the client and resource must support CAE for this mechanism to work. As of now, Exchange Online, SharePoint, OneDrive, Teams, and Graph API are CAE-capable, and more services will be added in the future.

 

Another benefit of CAE is its additional checks for IPv4 and IPv6 locations. When a client requests access, Entra ID evaluates the Conditional Access Policy for the resource and appends a Conditional Access Policy ID (CAPID) to the token. The resource or application can then validate this information by querying Entra ID for the allowed IP range. If the client changes its location, the resource or application detects this mismatch and issues a 401 challenge, prompting the client to obtain a new token. This prevents access when the token is used from unauthorized locations, even if stolen.

 

CAE is enabled by default, provided both the client and resource support it. Conditional Access policies under session control also offer customization, such as disabling CAE or strictly enforcing location policies. Enabling the strict enforcement option may disrupt access if traffic routes through different IPs.

 

For instance, consider a scenario where Client1's request initially passes through a network firewall with IP 193.20.1.10. When the same token is used to access Exchange Online, the traffic might route through a different IP, such as 193.30.1.20, causing a block because the resource expects traffic from the original IP.

 

In such cases, if the “Strictly Enforce Location Policy” option is disabled, Entra ID understands this as a legitimate request and issues a new token without CAPID. This allows the client to access resources without location-based restrictions.

 

Thank you for time to go through my blog. Do share your feedbacks.

 

Published Dec 23, 2024
Version 1.0
  • DaithiG's avatar
    DaithiG
    Steel Contributor

    Thanks! The last time I tried using CAE it was causing issues with staff who used a VPN and sometimes they'd disconnect and get locked because of the CAE location. This seems like it would help here?