Base Office 365 Workloads React to Critical Azure AD Events
Microsoft made a critical announcement on January 10 when they revealed that the base Office 365 workloads support continual access evaluation (CAE) for specific Azure AD events. What’s more, Microsoft has enabled this capability for all Microsoft 365 tenants.
Exchange Online, SharePoint Online, and Teams can now accept signals from Azure AD when an administrator:
- Deletes or disables an Azure AD user account.
- Changes or resets the password for a user account.
- Explicitly revokes all refresh tokens for a user account.
- Enables multi-factor authentication for a user account.
The top three actions correspond to highlighted options available at the top of the user account management card in the Microsoft 365 admin center (Figure 1). Multifactor enablement is at the bottom of the card.
In addition, Exchange Online can respond when Azure AD Identity Protection detects that higher risk of compromise exists for a user account.
CAE means that the “enlightened” applications learn about changes in user accounts in almost real-time. For instance, if an administrator deletes a user account, the applications remove access immediately instead of waiting for the access token granted as the result of the last successful authentication by the account to expire. Microsoft says that the use of CAE means that “authentication session lifespan now depends on session integrity rather than on a predefined duration.” For example, if an event like a password change occurs to affect the integrity of a browser session where a user is connected to SharePoint Online, instead of waiting for the access token to expire, SharePoint Online will immediately demand that the user re-establishes session integrity by proving their credentials are still valid.
The effect is that users affected by these critical events must either reauthenticate (for instance, using a new password), or lose access to email, documents, calendar, and Teams. This makes it much easier to manage the possibility of data loss in cases like account compromise or the departure of disgruntled employees.
A benefit of CAE is that in the case of outages, extended session lifetimes enabled by removing the dependency on the access token as the sole control over accounts mean that people can continue working without needing to revert to Azure AD (see this note about the Azure AD backup service).
Conditional Access Policy Support
While response to critical Azure AD events is available for all Microsoft 365 tenants, those with Azure AD Premium licenses can include CAE in their decision to grant or deny user access to applications based on conditions like network location.
Zero Trust in Action
Microsoft talks about the Zero Trust model a lot. Actions like adding CAE to all Microsoft 365 are practical and useful examples of the Zero Trust initiative. Even if you don’t use conditional access policies (something I think all tenants should consider), the fact that the base Office 365 workloads now respond to critical Azure AD events almost in real time is a very welcome advance.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.