MC273937: Continuous Access Evaluation (CAE) on by default in premium Azure Active Directory tenants

To improve security and minimize the time that at-risk sessions stay active, we’ll begin to enable continuous access evaluation (CAE) in premium Azure Active Directory tenants on September 30, 2021. This was previously announced in MC255540 in May of 2021, with a beginning implementation date of mid-June, however this date has been moved to September to provide you additional time to take the required action appropriate for your tenant. Existing CAE configuration will be honored. You are receiving this message because Continuous Access Evaluation (CAE) will be enabled by default in your tenant if it is not explicitly disabled by September 30, 2021.

MC273937: Continuous Access Evaluation (CAE) on by default in premium Azure Active Directory tenants

Affected Workloads

  • Identity Service

Key points

  •  Timing: This will be enabled between November (previously mid-September) and the end of December (previously late November).
  • Roll-out: tenant level
  • Control type: admin control
  •  Action: review, assess and ensure CAE settings are correct for the environment by October 30, 2021 (previously September 30, 2021)

How this will affect your organization

CAE enables critical security events and policies to be evaluated in near real time in your organization to help minimize the time that an at-risk session stays active.

Security events and policies include:

  • Account disable
  • Password reset
  • Location change

Note: Continuous access evaluation will only be active in sessions between clients and services that support it.

When it’s enabled in your tenants

  • Critical events, such as disabling users and resetting passwords, and critical policies, like location policy, will take effect within minutes.
  • Access token lifetime will be up to 28 hours for sessions that use continuous access evaluation.
  • Changes that you make to group membership and Conditional Access policies may require up to 28 hours to take effect for clients and services that use continuous access evaluation

What you need to do to prepare

If you don’t want continuous access evaluation enabled in your tenants, disable it before September 30, 2021. We’ll honor any configuration that you set before that date.

Learn more

Message ID: MC273937
Published: 29 July 2021
Updated: 05 October 2021