Continuous Access Evaluation is a security feature in Microsoft 365 that revokes access to Exchange Online data within minutes when a user account is compromised or disabled, rather than waiting for the token to expire. In classic Outlook and other legacy clients, CAE relies on a separate background service and specific registry keys to function. The new Outlook for Windows, a completely rebuilt client, handles CAE differently. This article explains how CAE changed between classic Outlook and the new Outlook, what administrators need to configure, and what limitations remain.
Key Takeaways: Continuous Access Evaluation in Classic vs New Outlook
- CAE enforcement point: Classic Outlook uses a separate background service and registry keys; new Outlook uses the native Exchange Web Services connection built into the app.
- Token refresh behavior: Classic Outlook relies on the ADAL cache and requires manual registry edits; new Outlook uses the Microsoft Authentication Library integrated in the client.
- Administrator configuration: New Outlook requires no additional client-side registry settings — CAE works if the tenant and user license support it.
How Continuous Access Evaluation Works in Microsoft 365
Continuous Access Evaluation is a security protocol that allows Azure Active Directory to send real-time revocation events to connected clients. When an administrator disables a user account, changes a password, or applies a Conditional Access policy, CAE forces the client to reauthenticate or block access within minutes. This is a significant improvement over the previous model where access tokens remained valid for up to 60 minutes.
CAE Requirements
CAE requires the following components:
- An Exchange Online mailbox with a Microsoft 365 E3, E5, or equivalent license
- Azure Active Directory Premium P1 or P2 licenses for all users
- Clients that support the CAE protocol (Outlook for Windows, Outlook for Mac, Outlook mobile, Outlook on the web)
- Network connectivity to the CAE endpoint at https://outlook.office365.com
How Classic Outlook Implements CAE
Classic Outlook (the 32-bit or 64-bit desktop application included with Microsoft 365) uses a separate background service called the Outlook Service for Continuous Access Evaluation. This service communicates with Azure AD to receive revocation events. The service is installed automatically with Outlook, but it requires specific registry keys to enable CAE for the client. Administrators must set the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover with a DWORD value named EnableCAE set to 1. Without this registry key, classic Outlook falls back to the standard token expiration model.
How the New Outlook Handles Continuous Access Evaluation
The new Outlook for Windows is a web-based client that uses the same underlying architecture as Outlook on the web. Instead of relying on a separate background service, the new Outlook uses the native Exchange Web Services connection and the Microsoft Authentication Library built into the app. When Azure AD sends a revocation event, the new Outlook receives it through the same WebSocket connection used for real-time mailbox synchronization. This eliminates the need for a separate service and the associated registry keys.
CAE Is Enabled by Default in New Outlook
Unlike classic Outlook, the new Outlook does not require any client-side registry configuration for CAE. If the tenant and user licenses support CAE, the new Outlook automatically uses it. The client registers itself with Azure AD during the initial authentication handshake and maintains a persistent connection to the CAE endpoint. When a revocation event occurs, the new Outlook receives it within 2 to 5 minutes and immediately blocks access or prompts for reauthentication.
What Changed for Administrators
Administrators who previously had to deploy registry keys for classic Outlook can now remove those keys for users who have migrated to the new Outlook. The CAE behavior is controlled entirely at the tenant level through Azure AD Conditional Access policies. No additional client configuration is needed. However, administrators should verify that the new Outlook is using the correct authentication method by checking the sign-in logs in Azure AD.
Steps to Verify CAE Is Working in New Outlook
Follow these steps to confirm that Continuous Access Evaluation is active in the new Outlook for Windows.
- Open the new Outlook app
Launch the new Outlook for Windows. If you are still using classic Outlook, you can switch by toggling the Try the new Outlook slider at the top right of the classic Outlook window. - Sign in with your Microsoft 365 work or school account
Enter your email address and password. Complete any multi-factor authentication prompts that appear. - Open the account settings
Click the gear icon in the top right to open Settings. Then navigate to Accounts > Email accounts. - Check the authentication method
Under the account name, look for the text Modern Authentication or OAuth 2.0. If you see Basic Authentication, CAE is not supported. Contact your IT administrator to enable Modern Authentication for your tenant. - Test a real-time revocation
Ask your IT administrator to disable your account temporarily in the Microsoft 365 admin center. In the new Outlook, wait 2 to 5 minutes. You should see a banner saying Your access has been blocked or a prompt to sign in again.
Limitations and Edge Cases in New Outlook
CAE Does Not Work with Shared Mailboxes or Delegates
Continuous Access Evaluation in the new Outlook only applies to the primary mailbox of the signed-in user. Shared mailboxes, delegate access, and group mailboxes are not covered by CAE. If a user loses access to a shared mailbox due to a revocation event, they must sign out and sign in again to refresh the permissions.
CAE Requires a Persistent Internet Connection
The new Outlook uses a WebSocket connection to receive CAE events. If the network connection is interrupted or the device goes offline, CAE does not work. When the connection is restored, the client re-registers with Azure AD and receives any pending revocation events. Users working in offline mode should sign out and sign back in after reconnecting to ensure CAE is active.
Third-Party Add-Ins May Interfere with CAE
Some third-party add-ins that intercept authentication or modify network traffic can block CAE events. If users report that CAE is not working in the new Outlook, ask them to disable all add-ins temporarily and test again. To disable add-ins, go to Settings > General > Manage add-ins and toggle each add-in off.
Classic Outlook vs New Outlook: Continuous Access Evaluation Comparison
| Item | Classic Outlook | New Outlook |
|---|---|---|
| CAE enforcement mechanism | Separate background service (Outlook Service for CAE) | Native WebSocket connection via Exchange Web Services |
| Client-side configuration required | Yes — registry key HKCU\…\EnableCAE = 1 | No — CAE is enabled by default |
| Token refresh method | ADAL cache with registry-based settings | Microsoft Authentication Library integrated in the app |
| Supported mailbox types | Primary mailbox only | Primary mailbox only |
| Offline behavior | CAE does not function offline | CAE does not function offline |
| Administrator monitoring | Check sign-in logs and registry deployment | Check sign-in logs in Azure AD only |
Continuous Access Evaluation in the new Outlook is simpler to deploy and maintain because it removes the requirement for client-side registry keys. The new Outlook uses the same CAE infrastructure as Outlook on the web, which means administrators can rely on the same tenant-level policies. For organizations that are migrating from classic Outlook to the new Outlook, the CAE transition is seamless as long as the tenant meets the licensing requirements. Administrators should test CAE revocation events after the migration to confirm that the new Outlook is receiving real-time signals correctly.