Continuous Access Evaluation is a security feature that blocks access to corporate resources in near real time when a user account is compromised. Instead of waiting for a token to expire, the system revokes access within minutes. This article explains how Continuous Access Evaluation works in the new Outlook for Windows and how it affects users of the classic Outlook desktop application. You will learn the technical differences, configuration requirements, and what to expect when your organization enables this feature.
Key Takeaways: Continuous Access Evaluation in Classic and New Outlook
- Azure AD Conditional Access > Session > Use Continuous Access Evaluation: Enables CAE for supported clients including the new Outlook.
- New Outlook (WebView2-based): Supports CAE natively and processes revocation events within minutes.
- Classic Outlook (MSI or C2R): Does not support CAE and relies on token lifetime policies and periodic token refresh.
What Continuous Access Evaluation Is and Why It Matters
Continuous Access Evaluation is a Conditional Access feature in Azure Active Directory. It allows identity and access management systems to enforce policy changes immediately after a user risk event. When a user account is disabled, a password is changed, or a device is marked as noncompliant, CAE sends a revocation signal to supported applications. The application then blocks access to corporate data without waiting for the access token to expire.
For Outlook users, this means that if an administrator revokes a user session, the new Outlook can stop syncing email, calendar, and contacts within minutes. Classic Outlook, however, does not process these signals. It continues to work with cached data until the token lifetime is reached or the user signs out manually.
CAE relies on two key protocols: OpenID Connect for token issuance and a separate event channel that uses a long-lived connection or periodic polling. The new Outlook, built on WebView2 and the Microsoft Authentication Library, supports these protocols fully. Classic Outlook uses older authentication libraries that do not implement the CAE event channel.
Prerequisites for Continuous Access Evaluation
Before CAE works with any Outlook client, your environment must meet these requirements:
- Azure AD Premium P1 or P2 licenses for all users
- Conditional Access policies configured with the session control for Continuous Access Evaluation
- Client applications that support the CAE protocol (new Outlook, Outlook for iOS/Android, Outlook on the web)
- Network connectivity to the CAE event endpoint at login.microsoftonline.com
How CAE Works in the New Outlook for Windows
The new Outlook for Windows is a web-based client that runs in a WebView2 container. It uses the Microsoft Authentication Library to acquire tokens and maintains a persistent connection to Azure AD for CAE events. When a risk event occurs, Azure AD sends a revocation notification to the client. The new Outlook then immediately invalidates its cached tokens and prompts the user to reauthenticate.
Here is the step-by-step process for enabling and verifying CAE in the new Outlook:
- Sign in to the Azure portal
Go to portal.azure.com and navigate to Azure Active Directory > Security > Conditional Access. - Create or edit a Conditional Access policy
Select Policies and click New policy. Assign the policy to the target users, groups, or all users. - Configure the session control for CAE
Under Session, check Use Conditional Access App Control. Then select Use Continuous Access Evaluation and set the custom policy if needed. - Save the policy and test
Apply the policy to a test user. Sign in to the new Outlook with that account. Then disable the user account in Azure AD. Within 5 to 10 minutes, the new Outlook should display a sign-in prompt and block access to mail.
How Classic Outlook Handles Access Revocation
Classic Outlook does not support the CAE event channel. It uses the legacy authentication flow that relies on access token lifetimes and refresh token expiration. When a user account is disabled or a password is changed, classic Outlook continues to access the cached Exchange mailbox until one of these conditions is met:
- The access token expires (default lifetime is 60 to 90 minutes for most tenants)
- The refresh token expires (default lifetime is 14 days for non-persistent sessions)
- The user manually signs out or restarts Outlook
- The cached Exchange mode data is manually removed
This delay creates a security gap. An attacker who gains access to a user session can continue to read email and export data for up to 90 minutes before the token expires. Administrators can reduce this window by shortening token lifetimes using Azure AD token lifetime policies, but this increases the number of authentication requests and can affect performance.
Token Lifetime Policy Workaround for Classic Outlook
To reduce the revocation delay for classic Outlook, you can set a shorter access token lifetime. This is not a replacement for CAE but a partial mitigation.
- Open Azure AD PowerShell or Microsoft Graph
Use the AzureAD module or Graph API to create a token lifetime policy. The policy type is accessTokenLifetime. - Set the access token lifetime to 30 minutes
Example policy value in PowerShell: New-AzureADPolicy -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”AccessTokenLifetime”:”00:30:00″}}’) -DisplayName “OutlookTokenPolicy” -IsOrganizationDefault $false. - Assign the policy to the classic Outlook application
Use Add-AzureADServicePrincipalPolicy to link the policy to the Office 365 service principal (app ID 00000002-0000-0ff1-ce00-000000000000). - Test the new lifetime
Sign in to classic Outlook, then check the token expiration using a tool like Fiddler or the Azure AD sign-in logs. Tokens should expire after 30 minutes.
Common Misconceptions and Limitations
Will classic Outlook ever support CAE natively?
Microsoft has stated that classic Outlook is in maintenance mode and will not receive new security features like CAE. The company recommends migrating to the new Outlook for Windows. As of 2025, no update has added CAE support to classic Outlook.
Does CAE work with Outlook cached mode?
In the new Outlook, CAE works even when the client is online. The client maintains a persistent connection to Azure AD. In classic Outlook, cached mode does not affect CAE because the client does not implement the event channel at all.
Can I force sign-out for classic Outlook remotely?
You can use the Revoke-AzureADUserAllRefreshToken cmdlet in Azure AD PowerShell to invalidate all refresh tokens for a user. This forces classic Outlook to prompt for credentials on the next refresh cycle. However, the client may continue to use cached data for up to 30 minutes depending on the token lifetime.
New Outlook CAE vs Classic Outlook Token-Based Revocation
| Item | New Outlook (CAE) | Classic Outlook (Token-Based) |
|---|---|---|
| Revocation trigger | Azure AD sends a real-time event to the client | Token expiration or manual sign-out |
| Time to block access | 5 to 10 minutes after the risk event | 30 to 90 minutes depending on token lifetime |
| Network requirements | Persistent connection to login.microsoftonline.com | Standard HTTPS traffic for token refresh |
| User experience | Silent reauthentication prompt appears | No prompt until token expires |
| Configuration effort | Requires Conditional Access policy with CAE enabled | Requires token lifetime policy in Azure AD |
Continuous Access Evaluation provides a significant security improvement for organizations using the new Outlook for Windows. Classic Outlook users must rely on token lifetime policies and manual revocation commands to close the access gap. If your organization prioritizes rapid account revocation, migrating to the new Outlook is the recommended path. To verify CAE is working, monitor the Azure AD sign-in logs for event ID 50096 which indicates a CAE revocation was processed.