Continuous Access Evaluation: Rise of the Claim challenge

Continuous Access Evaluation: Rise of the Claim challenge

Hi, Refresh tokens, Hi lag when Terminating users or setting a new password.

Welcome continuous access evaluation (CAE), bye lag (1 hour refresh token)

Claim challenge is a mechanism to indicate the token was rejected and a new token needs to be issued. So what are the benefits:

  • User termination or password change/reset: User session revocation will be enforced in near real time.
  • Network location change: Conditional Access location policies will be enforced in near real time.
  • Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

*Source: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Let’s activate this new feature:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/ContinuousAccessEvaluation

After “terminating” my test user.. all sessions were revoked instantly. Sometimes it can take about 15 minutes before everything is blocked. And beware when enabled the terminated user, it can also take some time before the user can access office365 again.

Of course, there are some caveats like coauthoring with multiple users on the same document. The user loses access after closing the document, closing the office apps, or after 10 hours. This can be changed by configuring a network location policy.

And you need CAE capable clients like Word/Excel/Outlook/Teams for Windows/IOS/Android. But I guess when you have your modern workplace enrolled, you are working with CAE capable clients.

Conclusion:

CAE is really great. I can’t say anything more about it… I guess it’s hasta la vista lag

Leave a Reply

Your email address will not be published. Required fields are marked *