On Day 29 of Cybersecurity awareness month, learn the importance of Continuous Access Evaluation in Azure AD today. Stay tuned for more blogs in the Cybersecurity blog series.
IT administrators continue to place high importance on the security of email and other tools needed to run their businesses. It is a usual event where admins need to disable a user from accessing their resources for one or the other reason. When such a user account is disabled, it is crucial to wait until they lose access to the resource. Instead, it has to take place straight away which is not possible with the traditional session controls setting in Azure AD conditional access policy. With CAE, it is possible to kill the access token lifetime and enforce immediate response to critical events.
“Time is what determines security. With enough time, nothing is unhackable”– Aniekee Tochukwu Ezekiel
In accordance with the quote, when resources are shared carelessly, they are exploited over time. One hour’s access token refresh time is sufficient in this case. Here is why!
What is Continuous Access Evaluation?
Azure Active Directory offers a variety of security features to ensure security in organizations. One such feature is Continuous Access Evaluation.
Continuous access evaluation is the mechanism of a two-way conversation between the token issuer (Azure AD) and the relying party (client app). This setting is enabled by default and we can use conditional access policies to disable it. Currently, CAE is available for Exchange, Teams, and SharePoint Online which are referred to as CAE-capable clients.
The need for CAE starts with the OAuth (Open Authorization) 2.0 access tokens that are used to authorize any API requests. When a user’s access is removed or a client IP address changes, CAE automatically blocks access to resources and applications in near real-time (up to 15 minutes may be expected).
What are Access Tokens?
Whenever an app/user requests access to Azure AD-supported applications, an access token with a lifetime of 1 hour is shared. The access token contains information on the user’s identity and permissions. Access token together with token refresh gives the user uninterrupted access that regenerates/ refreshes new tokens every 1 hour. This is where CAE comes into action. Let’s take a look at them in more detail.
Client-side Claim Challenge
Claim challenge is an authentication mechanism that informs clients to bypass the cache token even if they are not expired. Before CAE, clients would replay the access token from its cache as long as it hadn’t expired. With CAE, it indicates that the token was rejected and a new access token needs to be issued by Azure AD.
The latest version of the CAE-enabled clients – Outlook, Teams, Office and OneDrive (on Web, Win32, iOS, Android, and macOS) supports the claim challenge except for Office on the Web which is not supported.
License Requirement for Continuous Access Evaluation
As said, continuous access evaluation is auto-enabled for all Azure AD tenants. Since CAE is configured using conditional access, an Azure AD Premium (P1 or P2) license is required for doing any customizations.
Why CAE is Important?
CAE not only increases security but also reduces the time of losing access to a resource when critical events occur. As mentioned above, access tokens with a 1-hour lifetime can be questionable for the following scenario.
- Azure AD takes one long hour to lock the user’s account blocked by the administrator using conditional access policies. The user may download the confidential data within this one hour of dismissal.
CAE saves this situation by building a two-way conversation between Azure AD and the application. That is, if the application detects any unusual activity, it signals Azure AD and vice versa. This in turn paves way for immediate actions on the user whenever any changes happen to their account.
Continuous access evaluation involves two types of scenarios: critical event evaluation and conditional access policy evaluation.
What are Some of the Critical Events in Azure AD?
When any of the following critical events occur, CAE helps in real-time access token refresh that causes the users to be logged out.
- User account is deleted or disabled
- Password for a user is changed or reset
- Location changes for a user
- Multi-factor authentication is enabled for the user
- Administrator explicitly revokes all refresh tokens for a user
- High user risk detected by Azure AD Identity Protection
Scenario-Based Explanation for CA Policy Evaluation
The following step-by-step explanation provides a clear view of how CAE works.
Step 1: Create a new conditional access policy by navigating through Azure Active Directory > Security > Conditional Access.
Step 2: Select specific users from the ‘Users’ to whom you want the policy applied to.
Step 3: Select ‘All cloud apps’ option from the ‘Cloud apps or actions’ blade.
Step 4: Add conditions to exclude only the selected location, so that users accessing from any other locations will be blocked.
Step 5: After granting the option to block access, turn on the policy right away.
User Experience with Continuous Access Evaluation
Now, when the user tries to access the resource from a different IP location, their access is blocked instantly and they receive the following error.
This proves that CAE is enabled for you.
What Happens When Continuous Access Evaluation is Disabled?
As a premium Azure AD user, you can disable CAE from the session blade for a conditional access policy.
It is important to note that disabling continuous access evaluation works only when “All Cloud Apps” is selected and no condition has been chosen for a CA policy. When disabled, blocking access for an unusual event takes a long one-hour. This time is more than enough for a malicious user to steal all your confidential data.
Some Limitations of CAE to Make a Note of:
- CAE is not supported for all client apps and resource provider combinations.
- For location conditions, CAE supports only IP-based named locations insights. It does not support MFA-trusted IPs or country-based locations.
- Time taken to update changes made to group memberships and CA policies could take up to one day to be effective. This delay is from replication between the identity provider and the resource providers.
- The identity provider and the resource providers see differences in IP addresses if there are proxy implementations in your organization.
- CAE may not immediately revoke access to documents for policy change events if multiple users collaborate on them simultaneously.
- When you enable a user right after disabling them, it takes up to a 15-minute delay for SharePoint Online and a 35-40 minute delay for Exchange Online to recognize the account.
Though CAE possesses some limitations, Microsoft has provided remedies to overcome each limitation. You can check out the limitations and workarounds provided, and follow the steps to overcome them.
I hope this blog will guide you through the concepts of Continuous Access Evaluation. Feel free to reach us in the comments for any assistance.