General Availability of Continuous Access Evaluation
Well this week has been a good week and has seen a Conditional Access feature which adds further control to the Zero Trust story. One of the biggest issues around Conditional Access and also Multi-Factor Authentication is that it only protects at the time the session is authenticated, meaning conditions around the user session could change, but because the authentication session was successful at the start the session stays valid.
This changes with the addition of Continuous Access Evaluation (CAE), as it introduces the ability for real-time enforcement of account lifecycle events and policies. These could be events such as:
-
Account revocation
-
Account Disabled or Deleted
-
Password Change
-
User Location Change
-
Increase in User Risk
What this means is that when one of the events is received, app sessions will be immediately interrupted with the users redirected back to Azure AD to reauthenticate and subsequently re-evaluate their policy. This means that CAE allows for the Zero Trust principles of Assume Breach and Verify explicitly to be implemented and actioned. This means that the user session lifespan is no longer a pre-defined duration, but actually depends on the sessions integrity
CAE will be auto-enabled for All tenants, however, Azure AD P1 customers will be able to make changes or disable CAE in the Session Blade within Conditional Access. Supported Apps for CAE can be found here