Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
October 30, 2021October 30, 2021

Continuous Access Evaluation configuration is now part of Conditional Access

While browsing through the options in my Conditional Access policies I noticed a new session related to Continuous Access Evaluation (CAE). Time for a blogpost on my findings.

Continuous access evaluation allows for a quicker response by forcing an access token refresh in case of a certain events taking place. In October last year I already wrote about Azure AD Continuous access evaluation (CAE) taking a first look at its functionality, so if you want to know more about what Continuous Access Evaluation is exactly I would recommend reading that article first.

Azure AD Continuous access evaluation (CAE), a first look

The new option that has appeared in Conditional Access, can be found under the session in the Access Controls section.

Session Control options

As you can see from the screenshot, you have the ability to select “Customize continuous access evaluation” and once selected, you have two options. 1) Disable and 2) Strict enforcement.

“Disable” works correctly when “All cloud apps” is selected, and no condition has been chosen. So if you want to disable Continuous Access Evaluation you should explicitly create a conditional access policy targeting all cloud apps, without any condition, so you can only turn it off for every session going through Azure AD Conditional Access.

“Strict enforcement” will disable non-CAE enabled clients. Also, both IP addresses seen by Azure AD and Resource Provider will be evaluated and enforced based on IP location policy.

The CAE enabled clients are: Outlook, Teams, Office, OneDrive (on Web, Win32, iOS, Android and macOS), except for Office on the Web which is not supported. This means that other clients accessing the data will be blocked and that once enabled you cannot work with documents in Office on the web anymore.

Let’s test this, I modified one of my policies to include this new setting set to “Strict enforcement”

When creating a new Word document from the Office portal (https://portal.office.com)

When creating a new Excel document from the Office Portal

I was able to create a new Word on the web document and Excel on the web spreadsheet via the “New” option in OneDrive which can be considered a “workaround” but hopefully Office on the web will be included as a supported client soon.

Conclusion

So, Continuous Access Evaluation is now enabled by default, you can tweak this by disabling Continuous Access Evaluation or by setting Continuous Access evaluation to strict enforcement. Be careful when using the strict option though because it can break the user experience when they are working in Office on the web.

Strict enforcement should only be used in environments where this is a hard requirement, and you can live with the restrictions (hopefully for now).

Reference:

Continuous access evaluation – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Continuous access evaluation (concept) https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Tweet
Follow me
Tweet #WPNinjasNL

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Mike on A guide to implementing Applocker on your Modern Workplace
  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT