Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Entra ID Continuous access evaluation and how it works!

MVP

 

Dear Microsoft Entra ID Friends,

 

In this article, we take a closer look at Microsoft Entra ID continuous access evaluation.

 

What is Microsoft Entra ID Continuous access evaluation (CAE)?
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evalua...

 

How should CAE support us?
Microsoft Entra ID continuous access evaluation is a feature that helps to improve the security and resilience of cloud applications. It allows Microsoft Entra ID to issue access tokens that are valid for a longer time, but can be revoked immediately if there is a change in the user account or the tenant policy. This way, applications can enforce the latest security policies without relying on the expiration of the access tokens. For example, if an administrator disables a user account or changes the IP address range for accessing the application, the existing access tokens for that user will be invalidated and the user will have to reauthenticate with Microsoft Entra ID. This reduces the risk of unauthorized access and also reduces the number of token requests, which makes the application more resilient to network issues.

 

Build resilience by using Continuous Access Evaluation
https://learn.microsoft.com/en-us/entra/architecture/resilience-with-continuous-access-evaluation

 

Revoke access in (near) real time with Continuous Access Evaluation
Continuous Access Evaluation (CAE) allows Microsoft Entra applications to subscribe to critical events that can then be evaluated and enforced. CAE includes evaluation of the following events:

  • User account deleted or disabled
  • Password for user changed
  • MFA enabled for user
  • Administrator explicitly revokes a token
  • Elevated user risk detected

Let's examine CAE on the example of a connection with Microsoft Graph.

Lets start with the following scenario:

In the PowerShell ISE we create a connection with Microsoft Graph and in the background we record it all with the Fiddler tool.

cae_1.png

 

In the Fiddler tool we copy the access token:

cae_2.png

 

Now we can decode the access token on the web page https://jwt.ms/:

cae_3.png

 

We can see that the access token is valid for approximately 24 hour:

cae_4.png

 

With the fiddler tool we can see that the microsoft graph is continous access evaluation aware:

cae_5.png

 

Now lets generate an event that will revoke the access token:

cae_6.png

 

Back in the PowerShell ISE we can see that the access token is no longer valid (Request for re-authentication):

cae_7.png

 

In the Fiddler tool we can see that the access token is no longer valid:

cae_8.png

 

The exact info from Fiddler:

cae_9.png

 

I realize that this was not necessarily spectacular. It was simply important for me to share my experience with you. Nevertheless, I hope that this article was helpful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler

 

 

0 Replies