It’s Time to Enable Continuous Access Evaluation (CAE) in Microsoft Entra ID
In many service reviews with our Managed SIEM clients, a troubling pattern keeps emerging: organisations believe that enabling Multi-Factor Authentication (MFA) and Conditional Access (CA) policies is enough to stop identity-based attacks. While those measures are foundational, they are no longer sufficient on their own. Again and again, we’re seeing incidents that could have been prevented if one additional control was in place: Continuous Access Evaluation (CAE).
This blog explores a key shortfall in Microsoft’s Conditional Access framework and focuses on how Continuous Access Evaluation (CAE) within Microsoft Entra ID (formerly Azure Active Directory) helps address evolving identity threats. Let’s break down the issue.
The Problem: Credential-Based Attacks Are Evolving
For years, phishing attacks focused on stealing usernames and passwords. MFA has significantly raised the bar by requiring a second factor, and Conditional Access has added context-aware restrictions like device compliance and location checks. These defences have helped tremendously.
But attackers have adapted.
Instead of trying to break MFA or guess passwords, attackers now aim for something easier and more effective: session hijacking.
Here’s how it works:
- The attacker tricks a user into logging into a fake site.
- The user completes the MFA challenge.
- The attacker steals the session token that grants access after login.
- The attacker now has full access to apps and data – no password or MFA needed again.
This attack completely bypasses Conditional Access and MFA, because those checks happen at login – and the attacker is using a valid, already-approved session.
Why Conditional Access Does Not Trigger
When attackers use a man-in-the-middle (MitM) phishing toolkit like Evilginx, they proxy the legitimate login process. The user believes they are signing into Microsoft, completes MFA, and Conditional Access evaluates the request as legitimate. However, Conditional Access only checks the conditions at the time of login.
Importantly, Conditional Access evaluates the IP address of the proxy (the attacker’s server), not the end user’s real location. If the proxy is based in an allowed region or isn’t blocked, Conditional Access sees no reason to deny the session. Once the session token is issued, there is no further Conditional Access enforcement on that session unless explicitly revoked.
The Solution: Continuous Access Evaluation (CAE)
CAE closes this gap. It allows Microsoft Entra ID to re-evaluate user sessions in near real-time, not just at the moment of login.
With CAE enabled, Microsoft Entra ID can immediately revoke access when risk conditions change, such as:
- Sign-in from a new, suspicious IP address
- Impossible travel (for example, user signs in from London and then New York 3 minutes later)
- The user’s risk level increases due to leaked credentials or suspicious activity
Why CAE Matters:
Without CAE, a stolen session token can remain valid for hours or even days. With CAE, that session can be cut off immediately.
CAE reduces the window of exposure during which an attacker can act undetected. It is especially valuable in high-risk environments and for protecting sensitive applications and data.
CAE is a Tactical Fix – Phishing-Resistant MFA is the Strategic Solution
While CAE improves the resilience of Conditional Access, it is a short-term mitigation, not a long-term defence.
The strategic answer is to prevent attackers from stealing reusable tokens in the first place. That means adopting phishing-resistant MFA methods.
What is phishing-resistant MFA?
Phishing-resistant MFA ensures that authentication tokens cannot be intercepted and reused on a different device or session. It leverages cryptographic techniques to bind the authentication to the specific device or browser.
Common phishing-resistant MFA methods:
- FIDO2 Security Keys (such as YubiKey): A physical device that authenticates the user using public/private key pairs. Only works on the legitimate domain, and cannot be phished.
- Windows Hello for Business: Biometric authentication bound to the device. Uses certificate-based access tied to the endpoint.
- Microsoft Authenticator App with number matching and device-bound certificates: Adds proof-of-possession so tokens cannot be phished or replayed.
- Passkeys: A modern, device-bound alternative to passwords that uses public/private key cryptography. Passkeys are phishing-resistant by design and work across platforms and browsers that support the standard.
These methods invalidate the entire session hijacking model. Even if the user is tricked into entering credentials, the attacker cannot reuse the resulting authentication because the token is cryptographically tied to the user’s device or key.
Our Recommendations for Implementing CAE
Enabling CAE is not complex, but it does require planning and validation.
- Enable CAE in Microsoft Entra ID
Microsoft has made CAE generally available. Most modern Microsoft services (Exchange, SharePoint, Teams) already support CAE tokens. - Update Your Conditional Access Policies
Add session revocation triggers such as IP-based anomalies and user/sign-in risk detection. Also ensure that high-risk users are prompted to re-authenticate for sensitive or privileged operations where appropriate. - Ensure Apps Are CAE-Compatible
CAE works best when apps use modern authentication libraries. Audit your app estate and prioritise updates or replacements where needed. - Monitor and Tune
Review logs and adjust thresholds to reduce false positives. Combine CAE with your SIEM for real-time incident response. - Require Compliant Devices and Block Unmanaged Devices
Where possible, restrict access to devices that meet compliance policies (for example, managed by Intune or running antivirus software). Block access from personal or non-enrolled devices unless specific criteria are met. - Begin Transitioning to Phishing-Resistant MFA
Prioritise key users and high-risk roles. Start rolling out FIDO2 security keys, Windows Hello for Business, or passkeys. Remove legacy authentication methods where possible.
Need Assistance?
At MTI, we know identity threats are evolving faster than ever. With 35+ years at the forefront of cybersecurity, a flexible SOC model tailored to your needs, and as a founding member of CREST UK, we’re trusted by leading organisations to stay ahead of attackers.
If you haven’t enabled Continuous Access Evaluation (CAE) yet, your users – and your business – remain vulnerable to advanced session hijacking attacks. Our experts are here to help you:
Enable CAE quickly and correctly
Update Conditional Access policies for real-time risk response
Transition to phishing-resistant MFA
Integrate continuous monitoring into your broader security operations
Don’t leave session security to chance. Contact MTI’s Cyber Team today to start securing your identities beyond the login point.