Session Management and Continuous Access Evaluation (CAE) – SC-300 Exam Guide
Why Session Management and Continuous Access Evaluation Matter
In modern identity and access management, simply authenticating a user at sign-in is not enough. Threats can emerge during an active session — a user's account may become compromised, their device may fall out of compliance, or an administrator may revoke access. Without proper session management and continuous access evaluation, stale tokens could allow unauthorized access long after conditions have changed. This is why Microsoft developed mechanisms to shorten the window of risk between a policy change and its enforcement.
What Is Session Management?
Session management refers to the controls that govern how long a user's authenticated session lasts and under what conditions it must be refreshed or terminated. In Microsoft Entra ID (Azure AD), session management involves several key components:
• Token Lifetimes: Access tokens and refresh tokens have configurable lifetimes. Access tokens typically have a default lifetime of approximately 60–90 minutes. Refresh tokens are longer-lived and are used to obtain new access tokens without re-authentication.
• Conditional Access Session Controls: Within Conditional Access policies, administrators can configure session controls such as:
- Sign-in frequency: Determines how often users must re-authenticate. For example, you can require re-authentication every 1 hour for sensitive applications.
- Persistent browser session: Controls whether users remain signed in after closing and reopening their browser. Administrators can choose to allow or disallow persistent sessions.
- Customize continuous access evaluation: Allows administrators to disable CAE or rely on its default behavior within a Conditional Access policy.
• Configurable Token Lifetimes (Legacy): Microsoft previously offered token lifetime policies via PowerShell. Many of these have been deprecated in favor of Conditional Access session controls. For the SC-300 exam, know that Conditional Access is the recommended approach for managing session behavior.
What Is Continuous Access Evaluation (CAE)?
Continuous Access Evaluation is a mechanism that allows Microsoft Entra ID and resource providers (such as Exchange Online and SharePoint Online) to communicate in near real-time about critical events. Instead of waiting for a token to expire before enforcing a policy change, CAE enables the resource provider to reject a token almost immediately when certain events occur.
How CAE Works
CAE operates through a partnership between the identity provider (Microsoft Entra ID) and the resource provider (e.g., Exchange Online, SharePoint Online, Microsoft Teams, Microsoft Graph):
1. Critical Event Evaluation: When a critical event occurs, the resource provider is notified and can revoke access immediately, regardless of the token's remaining lifetime. Critical events include:
- User account is disabled or deleted
- Password is changed or reset
- Multi-factor authentication is enabled for the user
- Administrator explicitly revokes all refresh tokens for a user
- High user risk detected by Microsoft Entra ID Protection
2. Conditional Access Policy Evaluation (Claims Challenge): Resource providers can also evaluate Conditional Access policies in near real-time. For example, if a user moves from a trusted network to an untrusted network, the resource provider can issue a claims challenge, forcing the client to go back to Microsoft Entra ID to re-evaluate the Conditional Access policy. This is known as IP-based policy enforcement.
3. Long-Lived Tokens with CAE: When CAE is enabled, access tokens issued for CAE-capable workloads have an extended lifetime of up to 28 hours (instead of the default ~1 hour). This is because the near-real-time revocation capability reduces the need for short-lived tokens. The security posture is actually improved because critical events trigger immediate revocation regardless of token lifetime.
4. Client Capability: For CAE to work, the client application must be CAE-aware (CAE-capable). Modern Microsoft applications like Outlook, Teams, OneDrive, and Office apps support CAE. Applications using MSAL (Microsoft Authentication Library) can also be built to support CAE by handling claims challenges.
Key Concepts for the Exam
• Sign-in Frequency vs. CAE: Sign-in frequency is a Conditional Access session control that forces periodic re-authentication. CAE is a separate mechanism that enables near-real-time revocation. They serve different but complementary purposes. Sign-in frequency is best for requiring periodic interactive authentication. CAE is best for responding to critical security events quickly.
• CAE and Conditional Access Interaction: CAE can be configured or disabled via Conditional Access policies under the Session controls section (Customize continuous access evaluation). By default, CAE is enabled for all tenants and all CAE-capable applications. You can disable it per policy if needed.
• Strictly Enforce Location Policies: In Conditional Access, the option "Disable Resilience Defaults" or the CAE strict enforcement mode ensures that when a user leaves a trusted IP range, their access is revoked immediately. Without strict mode, there may be a grace period to maintain service availability.
• Supported Workloads: CAE is supported for Exchange Online, SharePoint Online, Microsoft Teams, and Microsoft Graph. Not all workloads support CAE, so for unsupported resources, standard token lifetime behavior applies.
• Revoke-Refresh-Tokens: When an admin uses Revoke-AzureADUserAllRefreshToken or revokes sessions through the Microsoft Entra admin center, CAE-enabled resource providers are notified in near real-time to block access.
Practical Scenarios
Scenario 1: A user's account is compromised, and the admin resets the password. With CAE, the user's existing sessions to Exchange Online and SharePoint Online are terminated within minutes, not after the access token expires.
Scenario 2: A Conditional Access policy requires users to access SharePoint only from the corporate network. A user leaves the office and connects via a coffee shop Wi-Fi. With CAE and IP-based enforcement, SharePoint detects the IP change and issues a claims challenge, blocking access almost immediately.
Scenario 3: An organization wants users to re-authenticate every 4 hours when accessing a highly sensitive application. The admin configures a Conditional Access policy with sign-in frequency set to 4 hours targeting that application.
Exam Tips: Answering Questions on Session Management and Continuous Access Evaluation
1. Know the critical events that trigger CAE: Account disabled/deleted, password change, MFA enabled, admin revokes tokens, and high user risk. If a question asks what triggers near-real-time revocation, these are the answers.
2. Remember that CAE extends token lifetime to up to 28 hours: This may seem counterintuitive. If a question asks about the impact of CAE on token lifetime, remember that tokens live longer with CAE because the near-real-time revocation compensates for the extended lifetime.
3. Distinguish between sign-in frequency and CAE: Sign-in frequency forces periodic re-authentication on a schedule. CAE responds to events and policy changes in near real-time. A question about enforcing re-authentication every X hours points to sign-in frequency. A question about immediate revocation when a user's risk changes points to CAE.
4. Conditional Access is the recommended approach: If a question offers token lifetime policies (legacy) vs. Conditional Access session controls, choose Conditional Access session controls as the modern and recommended method.
5. Persistent browser session: This setting controls whether users stay signed in after closing the browser. If a question mentions shared or kiosk devices, the answer likely involves disabling persistent browser sessions.
6. CAE-capable clients are required: If a question involves a legacy application that does not support MSAL or claims challenges, CAE will not apply. The application must be CAE-aware.
7. IP-based enforcement with CAE: Know that CAE can enforce location-based Conditional Access policies in near real-time. If a question asks how to ensure users lose access immediately when they leave the corporate network, the answer involves CAE with IP-based policy evaluation.
8. Default behavior: CAE is enabled by default for supported workloads. You do not need to take action to enable it — questions may test whether you know this.
9. Read carefully for the keyword "immediately" or "near real-time": These phrases in a question strongly hint at CAE as the correct answer rather than sign-in frequency or token lifetime configuration.
10. Understand the Customize Continuous Access Evaluation option: In the Conditional Access policy session controls, this setting allows you to disable CAE for specific scenarios. If a question asks how to disable CAE for a particular set of users or apps, this is the mechanism.
By mastering the relationship between token lifetimes, Conditional Access session controls, and Continuous Access Evaluation, you will be well prepared to answer SC-300 exam questions on this topic confidently and accurately.
