Continuous Access Evaluation in Azure AD is now in public preview!

Published 10-09-2020 09:00 AM 24.3K Views

Howdy folks,


A few months back, we introduced Continuous Access Evaluation (CAE) for tenants who had not configured any Conditional Access policies. CAE provides the next level of identity security by terminating active user sessions to a subset of Microsoft services (Exchange and Teams) in real-time on changes such as account disable, password reset, and admin initiated user revocation.


Today marks an important milestone in bringing this capability to everyone – now CAE is available in public preview for Azure AD tenants who have configured Conditional Access policies. Microsoft services, like Exchange and SharePoint, can terminate active user sessions as soon as a Conditional Access policy violation is detected. More Microsoft services, such as Dynamics and Azure, will be enabled in the future. You can turn on CAE to improve the security posture in your tenant with just a few clicks!

Getting started


For tenants with Azure AD Premium subscription, you can configure CAE in our portal by going to Azure Active Directory -> Security -> Continuous Access Evaluation. There you can Enable Preview and you can also choose to configure this initially for a select set of users and groups.




If there are no conditional access policies configured in your tenant. CAE is already enabled for all users in your tenant and there are no additional actions you need to take. This is enabled even if your tenant has no Azure AD premium subscription.


To learn more about these changes, check out here: continuous access evaluation.

As always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below or on the Azure AD feedback forum


Best regards,

Alex Simons (twitter: @alex_a_simons)

Corporate Vice President Program Management

Microsoft Identity Division



Learn more about Microsoft identity: 

Occasional Contributor

Glad to see this has moved to Pubic Preview. Does limiting the scope of CAE to users in a group also apply to users in nested groups? 

Regular Visitor

Can this be made to support on-prem AD account lockouts and not just when accounts have been completely disabled?

New Contributor

Hello Alex, 


I'm trying to implement a complex access policy using Azure ADP1 and CA. The CAE would be a great benefit to support location changes.

As it is highlighted the documentation it is currently focusing on IP based location.

I followed the guidelines, created CA policies for both geographical and IP based locations but each in a separate, dedicated policy. (Geographical locations based policies simply blocking specific countries while policies based purely on IP locations just enforcing MFA).

However I'm not receiving the expected outcome. When a user is accessing EXO using Outlook client from an IP address that we consider safe MFA is not required (this is normal behavior) but when the user moves to a new IP address (from home for example) the MFA is not enforced.


Is there any way to track/find any log for the reason why the CAE is not addressing this IP address changes?

What would you recommend on how to go further with the debugging of this problem?


Thank you in advance!



Version history
Last update:
‎Oct 08 2020 04:06 PM
Updated by: