Continuous access evaluation with Azure Active Directory

CAE-user-revocation-event-flow

For sometime Microsoft has had a feature called Continuous access evaluation in Preview as part of Azure Active Directory. Which allows Conditional Access Policies and User Changes be evaluated in realtime compared to the traditional lifetime of a token. Just to illustrate.

When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, those access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them.(This is known as the Access Token Lifetime) Which can also be adjusted using PowerShell https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes as part of Azure AD and Office 365 there are a bunch of different access tokens that needs to be reevaluated from time to time

Of course if you need to disable a user because their credentials are compromised waiting one hour before the access is revoked might be to long. Or that a user authenticates and then switches to a non-approved network using the same access token. This is where Continuous access evaluation comes in.

CAE works with the following scenarioes

  • User Account is deleted or disabled
  • Password for a user is changed or reset
  • Multi-factor authentication is enabled for the user
  • Administrator explicitly revokes all refresh tokens for a user
  • Elevated user risk detected by Azure AD Identity Protection

And at the moment is only for SharePoint Online and Exchange Online. To use the feature you just enable the preview feature and define the users/groups which should be affected by this

This illustrates how the changes would be if we were to for instance were to revoke the access token for that account using PowerShell.

NOTE: If you enable a user right after it is disabled. There will be some latency before the account can be enabled. SPO and Teams will have 15-mins delay. The delay is 35-40 minutes for EXO.

set-azureaduser -ObjectId OBJECTIDOFTHEUSER -AccountEnabled $false

 

In this example I just disabled the user account trough PowerShell and the change happend quite instantly

2020-10-16_14-51-44

Hopefully this will also be improved upon and be available for more service in the next iteration.

 

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *