Microsoft on Tuesday explained that it is implementing its own version of Continuous Access Evaluation (CAE) identity and access protections for certain Office 365 and Azure Active Directory users.
CAE is a developing standard for sharing identity and access conditions more dynamically that’s part of the OpenID Foundation’s Shared Signals and Events Working Group. That group is currently developing both a CAE protocol standard and a Risk and Incident Sharing and Collaboration (RISC) standard.
CAE aims to address a limitation in federated identity and access systems in that they typically establish a log-in session at a single moment, but any changed circumstances don’t get subsequently communicated. This sort of situation might occur when a user logs into an application or service and then gets on a plane and flies to another destination where access conditions change.
The RISC initiative of the OpenID Foundation aims to create a standard that will prevent attackers from using possibly compromised accounts. For example, a user could have a compromised e-mail account that’s linked to an application and used to get sent application account recovery information.
CAE is based on a publish-and-subscribe approach for communicating session information between “apps, infrastructure, identity providers, device management services and device security services — regardless of whether they’re in the cloud or on-premises,” according to a CAE description by Google, which is also working on the OpenID Foundation’s CAE protocol standard. Under the CAE scenario, a publisher might be an identity service provider. A subscriber might be a software-as-a-service application or a virtual private network server.
Microsoft’s announcement explained that organizations using Exchange Online, Microsoft Teams and Azure AD without conditional access protections turned on likely are already using Microsoft’s own version of the CAE protocol in the background. The ability to use CAE specifically depends on the client, explained Alex Weinert, director of identity security at Microsoft.
“The latest versions of the Outlook and Teams application on Windows, iOS, MacOS, and Android are capable of CAE and there’s no action required from you if using these clients,” Weinert indicated in the announcement. “We will expand the list of compatible clients in the coming months.”
Currently, Microsoft’s version of the CAE will check if a user account has been disabled or deleted, or if refresh tokens have been revoked. It’ll check for password changes or resets, or if multifactor authentication (a secondary identity verification process) has been enabled. Lastly, Microsoft’s CAE leverages the Azure AD Identity Protection service to detect elevated user risk.
Microsoft is aiming for these sorts of CAE protocol checks to be “instantly evaluated,” but “in some cases latency of up to 15 minutes may be observed,” Weinert noted.
Microsoft is currently using its version of CAE with Exchange Online and Teams before expanding support to other Microsoft 365 services. It aims to share its learnings with the OpenID Foundation effort.
“As we’ve worked to deploy these CAE capabilities across Microsoft services, we’ve learned a lot and are sharing this information with the standards community,” Weinert explained. “We hope our experience in deployment can help inform an even better industry standard and are committed to implementing that standard once ratified, allowing all participating services to benefit.”