When I first had a play with CAE for the 1st time, I wrote about on the importance of this setting and how to enable it in your environment. Please check the previous article below.
Microsoft recently announced the same CAE control will be available via Conditional Access Policies and can be setup per policy rather than enabling it to the whole environment at once. This was earlier available under Security as a preview and now it has taken out from there. Also Microsoft has provided a migration path to the customers that had CAE enabled via Security and new tenants has the CAE in the CA Policies. And you have the ability to enable or disable the option under Session section.
Compatible Apps list
Currently the CAE is compatible with Exchange Online, SharePoint Online, Teams, MS Graph can synchronize with the Conditional Access Policy it self. Please refer the compatibility matrix below.
Migration from the tenants that had the Tenant-wide option enables under Security
In the Azure AD, go to Security > Continues Access Evalution (preview) in the left-hand pane > Click on Migrate.
This is basically a one click migrate and once the migration is done, go to Conditional Access Policies and you will find a new CA Policy named CA policy created from CAE settings and admins can customise this policy or create a new one if required.
the option will be visible under the Session section in Conditional Access Policies. The experience will be different on how it was used earlier or not.
Note: Now with the new tenants and the old tenants that has enabled CAE to all users, this will be set ON by default and the CAP can be used to manage it.
CA Policy with CAE Behaviour
Go to Conditional Access Policies and create a new policy as usual.
Note: If you need to disable CAE from the CA Policy, make sure you select “All Apps” as it will not work for a fragment of apps in the environment.
Immediately apply a CA Policy or a Group membership change
Run revoke-azureaduserallrefreshtoken command against the user by importing the the Azure AD module.
Go to the specific user from Azure AD and click on “Revoke Session” and the changes will be applied immediately.
Location Policies and CAE
CAE has insights to named locations in the Location Policies, but not on the MFA Trusted IP addresses o r country location. During this time Azure AD will issue a one hour access token
More limitations can be found in the official doc here
CAE being a vital part of the Identity posture, I think this is a sensible setup that CA Policy is now controlling the behaviour and in most cases the CAE is ON automatically. This avoids admins not enabling it or ignoring a powerful setting.
One thought on “Manage Continues Access Evaluation behaviour via Conditional Access Polices”