Conditional Access Policy Disables Continuous Access Evaluation

When a user authenticates to an application or API via Microsoft Entra ID, they receive an access token with a set expiration time. However, when this token expires, the user must refresh it by contacting Entra ID again. Only at this point does Entra ID have the opportunity to deny renewal and cut off access. This denial may result from changes in the user's security posture (such as switching to an unauthorized network or a dangerous IP address, high-risk activity detection, etc.) or changes in their status such as a disabled account. The issue is that these critical events cannot trigger an access token invalidation until their refresh, despite the need for near real-time responsiveness.

To address this issue, Microsoft implemented the Continuous Access Evaluation (CAE) security feature to bridge this gap.

CAE is enabled by default, but a Conditional Access policy can disable it. Tenable considers it risky to disable this security feature, so it flags as a finding any Conditional Access policy that disables CAE.

Tenable and Microsoft have not documented any valid reasons for disabling CAE. Therefore, it's essential to investigate whether the Conditional Access policy that disabled CAE was intentional or inadvertently caused by attempting to address another issue.

If the case is legitimate, Tenable recommends using the Assignments section of the Conditional Access policy to reduce its scope. This involves including or excluding only the specific problematic users or groups rather than applying the policy to "All users".

Otherwise, Tenable recommends disabling or deleting the Conditional Access policy, especially if it does not apply to anyone.

Name: Conditional Access Policy Disables Continuous Access Evaluation

Codename: CONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATION

Severity: Medium