Browse all topics
All guidesGlossary
Microsoft 365 essentials

Continuous Access Evaluation explained

How CAE revokes access tokens in near real time when risk signals change — and what to do to make sure it works.

Continuous Access Evaluation (CAE) is the Microsoft Entra ID feature that re-validates access tokens in near real time when something changes — a user is disabled, a password is reset, risk increases, or network location shifts. Without CAE, OAuth access tokens are valid for their lifetime (typically 60–90 minutes), creating a window where revoked accounts can still access resources.

The problem CAE solves

In the standard OAuth model:

  1. User signs in, gets an access token valid for ~60 minutes.
  2. The token is sent with every API call; the API validates the token's signature locally without contacting Entra ID.
  3. If during those 60 minutes the user is disabled, their password is reset, or their risk score spikes, the access token still works until it expires.

For a stolen-token scenario, that 60-minute window is exactly what attackers exploit. CAE closes it.

How CAE works

With CAE enabled:

  1. Resource services (Exchange Online, SharePoint Online, Microsoft Graph) maintain a live session with Entra ID.
  2. When something material changes — user disabled, password reset, risk elevated, MFA needed — Entra ID pushes a revocation signal.
  3. On the next API call, the resource service rejects the token with a specific error code.
  4. The client receives the error, transparently requests a new token (which now requires re-authentication or fails outright), and retries.

The user experience varies: in benign cases (token refresh works), it's invisible. In hostile cases, the user is forced to re-authenticate or blocked.

What's covered

CAE applies to a growing list of workloads:

  • Exchange Online (Outlook, EWS, Graph mail).
  • SharePoint Online (SharePoint, OneDrive, Teams files).
  • Microsoft Graph (most endpoints).
  • Microsoft Teams for chat and presence.

Power BI, Power Apps, Defender, and other services have CAE roadmaps with progressive enablement.

What clients support CAE

Modern Microsoft 365 clients support CAE natively: new Outlook, classic Outlook (recent versions), Teams, OneDrive sync, Edge, modern web apps. Older clients without CAE awareness fall back to standard token lifetimes.

Events that trigger CAE revocation

  • User disabled or deleted.
  • Password change or reset.
  • MFA enabled or strong authentication requirements changed.
  • Account confirmed compromised by Identity Protection.
  • Risky sign-in detected.
  • Conditional Access policy change affecting the user.
  • Token revoked by admin action (Revoke-MgUserSignInSession).

What admins should do

CAE is on by default for new tenants and is being progressively enabled for existing ones. There's no specific configuration to do — but verify it's enabled in Entra admin center → Security → Conditional Access → Continuous access evaluation.

For deeper coverage, ensure your clients are modern enough to benefit. Old MAPI clients and legacy IMAP/SMTP can't participate; block them with Conditional Access (which you should be doing anyway).

CAE doesn't replace Conditional Access — it complements it. CA decides what to allow at sign-in; CAE re-evaluates that decision continuously.