To improve security and minimize the time that at-risk sessions stay active, we’ll begin to enable continuous access evaluation (CAE) in premium Azure Active Directory tenants on September 30, 2021. This was previously announced in MC255540 in May of 2021, with a beginning implementation date of mid-June, however this date has been moved to September to provide you additional time to take the required action appropriate for your tenant. Existing CAE configuration will be honored. You are receiving this message because Continuous Access Evaluation (CAE) will be enabled by default in your tenant if it is not explicitly disabled by September 30, 2021.
Affected Workloads
- Identity Service
Key points
- Timing: This will be enabled between November (previously mid-September) and the end of December (previously late November).
- Roll-out: tenant level
- Control type: admin control
- Action: review, assess and ensure CAE settings are correct for the environment by October 30, 2021 (previously September 30, 2021)
How this will affect your organization
CAE enables critical security events and policies to be evaluated in near real time in your organization to help minimize the time that an at-risk session stays active.
Security events and policies include:
- Account disable
- Password reset
- Location change
Note: Continuous access evaluation will only be active in sessions between clients and services that support it.
When it’s enabled in your tenants
- Critical events, such as disabling users and resetting passwords, and critical policies, like location policy, will take effect within minutes.
- Access token lifetime will be up to 28 hours for sessions that use continuous access evaluation.
- Changes that you make to group membership and Conditional Access policies may require up to 28 hours to take effect for clients and services that use continuous access evaluation
What you need to do to prepare
If you don’t want continuous access evaluation enabled in your tenants, disable it before September 30, 2021. We’ll honor any configuration that you set before that date.
Learn more
- To learn how to disable CAE from the Azure AD Security Configuration blade, see Continuous Access Evaluation.
- To view the list of CAE-capable M365 services and clients, see CAE scenarios.
Message ID: MC273937
Published: 29 July 2021
Updated: 05 October 2021
