Enforcing Azure Active Directory security via Continuous Access Evaluation

By Anthony Bartolo, Senior Cloud Advocate at Microsoft

16/03/2023

An illustration depicting a modern workplace, next to an illustration of Bit the Raccoon.

Microsoft’s Azure AD Identity Protection and Azure AD Conditional Access provides the ability to monitor user sign-in attempts and analyse them for risk. Reducing the risk of a compromised account or a risky sign-in attempt from successfully completing an authentication and authorisation attempt is quite important, but what if circumstances change after a user has successfully logged in?

An end user is issued with an OAuth 2.0 access token at the time of a successful authentication, and that token has a lifespan making the end user’s session valid until that token expires. Configurable Token Lifetime policy is one hour by default unless configured otherwise. Imagine, however, if you’re an admin who needs to block a specific user’s access immediately, or if the service detects that a user is now accessing authenticated driven data from a free Wi-Fi at a coffee shop instead of from their corporate office. The end user’s non-expired access token would need to be immediately revoked forcing them to re-attempt authentication and authorisation – which will fail if their account has been disabled or may present them with a multi-factor authentication challenge because of their new location.

This is addressed via Continuous Access Evaluation, which provides a standard way for an identity provider or a service (also known as the relaying party or resource provider) to stop honouring a valid token and to re-issue an authentication and authorisation attempt. Sonia Cuff has recently shared a brilliant writeup detailing how with Continuous Access Evaluation in place, the lifespan of a token is no longer important, as we can re-challenge a user whenever circumstances change, without having to wait for their token to expire.

As you are aware, our team thrives on IT Professionals feedback which inspires the content we create. This includes technical articles, demo videos and interviews. We are also actively monitoring and engaging with the #AzOps hashtag on twitter. Feel free to reach out with any of your questions as our team is always happy to help.