While browsing through the options in my Conditional Access policies I noticed a new session related to Continuous Access Evaluation (CAE). Time for a blogpost on my findings.
Continuous access evaluation allows for a quicker response by forcing an access token refresh in case of a certain events taking place. In October last year I already wrote about Azure AD Continuous access evaluation (CAE) taking a first look at its functionality, so if you want to know more about what Continuous Access Evaluation is exactly I would recommend reading that article first.
The new option that has appeared in Conditional Access, can be found under the session in the Access Controls section.
As you can see from the screenshot, you have the ability to select “Customize continuous access evaluation” and once selected, you have two options. 1) Disable and 2) Strict enforcement.
“Disable” works correctly when “All cloud apps” is selected, and no condition has been chosen. So if you want to disable Continuous Access Evaluation you should explicitly create a conditional access policy targeting all cloud apps, without any condition, so you can only turn it off for every session going through Azure AD Conditional Access.
“Strict enforcement” will disable non-CAE enabled clients. Also, both IP addresses seen by Azure AD and Resource Provider will be evaluated and enforced based on IP location policy.
The CAE enabled clients are: Outlook, Teams, Office, OneDrive (on Web, Win32, iOS, Android and macOS), except for Office on the Web which is not supported. This means that other clients accessing the data will be blocked and that once enabled you cannot work with documents in Office on the web anymore.
Let’s test this, I modified one of my policies to include this new setting set to “Strict enforcement”
When creating a new Word document from the Office portal (https://portal.office.com)
When creating a new Excel document from the Office Portal
I was able to create a new Word on the web document and Excel on the web spreadsheet via the “New” option in OneDrive which can be considered a “workaround” but hopefully Office on the web will be included as a supported client soon.
Conclusion
So, Continuous Access Evaluation is now enabled by default, you can tweak this by disabling Continuous Access Evaluation or by setting Continuous Access evaluation to strict enforcement. Be careful when using the strict option though because it can break the user experience when they are working in Office on the web.
Strict enforcement should only be used in environments where this is a hard requirement, and you can live with the restrictions (hopefully for now).
Reference:
Continuous access evaluation – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation
Continuous access evaluation (concept) https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation