In the beginning of this month I wrote about CAE and and now it came Globally available.
It was there but now it’s gone and the only option you have is to disable or enforce it.
So what is Continuous Access Evaluation?
Continuous Access Evaluation (CAE) allows access tokens to be revoked based on critical events and policy evaluation in real time rather than relying on token expiration based on lifetime.
- “Disable” works correctly when “All cloud apps” is selected, and no condition has been chosen.
- “Strict enforcement” will disable non-CAE enabled clients. Also, both IP addresses seen by Azure AD and Resource Provider will be evaluated and enforced based on IP location policy.
- This setting does not work with report-only mode, but there are pre-published workbooks with data insights.
Disable can be used with “All Cloud Apps” and like the name says, you can bypass CAE functionality with this policy.
With Strict enforcement on the other hand you can prevent the non-compliant clients from using the cloud apps you have.
When you enable CAE in strict mode you won’t be able to use All Cloud Apps with non-CAE enabled client. You can find the list of the supported scenarios in my last post.
There is also one other Preview feature that I want to write about in this post.
Disable resilience defaults
During an outage, Azure AD will extend access to existing sessions while enforcing Conditional Access policies. If a policy cannot be evaluated, access is determined by resilience settings. If resilience defaults are disabled, access is denied once existing sessions expire.
So resilience default you will be blocked if your policy state cannot be checked. More power to the security, excellent feature. E.T cannot call home and way home is blocked.
Last but not least
Conditional Access has been evolving all the time. There is more and more preview features coming like Custom controls and Authentication context, more on these in the later posts.
Policies combined with other security features makes you admins sleep calmer and you should be evaluating it for your organization.
Easy as that, nothing too hard,