How Do Authentication and Authorization Work in the Microsoft Cloud?
Tokens are a vital part of modern authentication, enabling secure access to services without requiring repeated password entry. When a user logs into a Microsoft 365 tenant with their username, password, and a second factor, their identity is verified, and they receive a type of “access pass.” This typically includes several types of tokens:
ID Token (OpenID Connect): Contains identity information such as the username and object ID. It is usually valid for 1 hour.
Access Token (OAuth2): The actual “access pass” presented during each resource request. It is typically valid for about 1 hour.
Refresh Token: Remains valid for 14 (Primary Refresh Token) to 90 (Refresh Token) days and allows the automatic renewal of the Access Token without requiring the user to log in again.
Whenever a resource is accessed, the Access Token is checked, avoiding the need for re-entering passwords. If the Access Token expires, a new one can typically be requested automatically using the Refresh Token.
The problem with tokens
When a user account is disabled or a password is changed during the token’s validity period, the token remains active until it expires. This creates a window of time where the user still has access to apps and services, even though they are no longer authorized, posing a significant security risk.
How were tokens revoked previously?
PowerShell Command
Administrators can use the PowerShell command:
Revoke-MgUserSignInSession -UserId <User-Id>
This revokes all refresh tokens for a user, requiring them to reauthenticate.
Microsoft Entra Portal (formerly Azure AD)
The “Revoke Session” option in the user profile page of the Microsoft Entra Portal allows administrators to end all active sessions for a user.
Password Reset and Account Deactivation
Actions like resetting a password or disabling an account invalidate tokens during the next authentication check. However, existing access tokens often remain valid until their expiration.
Conditional Access Policies
Conditional Access allows administrators to enforce non-persistent browser sessions and set session time limits.
The Challenge with Current Approaches
These methods are often reactive and cannot guarantee real-time revocation of access, especially if a valid token is still in use. This delay increases the risk of unauthorized access during the token’s remaining validity period.
Continuous Access Evaluation - Tokens revoked in real time
Continuous Access Evaluation (CAE) addresses the gap between token issuance and events such as account deactivation or password changes by enabling near real-time token revocation. CAE ensures that access tokens lose their validity immediately after specific security events are detected.
Key Benefits of CAE:
Real-time revocation of access tokens in specific scenarios:
User account deactivation or deletion.
Password reset or change.
Network location change.
MFA activation.
Admin revocation of all refresh tokens for a user.
Detection of high user risk by Entra ID Protection (except in SharePoint Online).
How Continuous Access Evaluation works (example):
A user logs into a Microsoft 365 tenant and receives an access token.
If the administrator resets the user’s password or makes another security-critical change, the access token is invalidated in real-time.
The user is prompted to re-authenticate, and access to Microsoft 365 services is blocked until the process is completed.
Which applications support Continuous Access Evaluation?
The following services support Continuous Access Evaluation:
Exchange Online
SharePoint Online (including OneDrive)
Microsoft Teams
Note: Some limitations exist depending on the client application (e.g., Outlook Web, Outlook Win32, or Outlook iOS).
How to enable Continuous Access Evaluation?
CAE at the tenant level:
CAE operates as a tenant feature by default, reacting to Entra ID events without relying on Conditional Access Policies. Security triggers include account deactivation, password changes, network changes, MFA activation, and high user risk detection.
Conditional Access Integration:
CAE is integrated as a session control within Conditional Access policies. Supported apps dynamically evaluate security events and block access or request re-authentication based on defined Conditional Access policies.
Continuous Access Evaluation - “Strict Location Enforcement”
Continuous Access Evaluation Strict Enforcement is a new mode in Conditional Access Policies. This mode ensures that access is immediately stopped if the IP address detected by the resource doesn't meet the requirements of the Conditional Access policy.
This is the highest security level for CAE, focusing on location controls and requiring administrators to understand the routing of authentication and access requests in their network. Extensive testing with a limited group of users is recommended before enabling “Strict Location Enforcement.”
Important notes
Token lifespan
With CAE enabled in Conditional Access Policies, token lifespan is no longer relevant. In CAE sessions, tokens can remain valid for up to 28 hours, with critical events and policies managing revocations instead of fixed time periods. Non-CAE clients retain the default access token validity of one hour.
Migration of CAE
The CAE setting has been moved into the Conditional Access area. New CAE customers can enable CAE directly when creating Conditional Access Policies. Existing customers may need to migrate first.
CA Policies: Timeframe for changes to take effect
Changes to Conditional Access policies or group memberships can take up to a day to apply.
For immediate application:
Use the PowerShell command Revoke-MgUserSignIn to revoke all refresh tokens for a user.
Alternatively, select "Revoke session" on the user's profile page.
Guest user limitations
Guest accounts are not supported by CAE.
Conclusion
CAE represents a significant improvement in dynamic, real-time access control. By integrating CAE with Conditional Access and Entra ID, businesses achieve a higher level of security that aligns with modern work environments. This proactive approach provides organizations with a critical edge in protecting against today’s evolving threats, where tokens are increasingly targeted by attackers.
