You recently switched from classic Outlook to the new Outlook for Windows and now need to locate the Continuous Access Evaluation setting. This security feature is part of Azure AD Conditional Access and was previously configured through classic Outlook’s account settings. In new Outlook, the setting is not visible in the user interface because it is controlled entirely by your organization’s Conditional Access policies. This article explains where the setting moved, how to verify it is active, and what to do if you cannot find it.
Key Takeaways: Finding Continuous Access Evaluation in New Outlook
- Azure AD Conditional Access > Session > Continuous Access Evaluation: This is where administrators enable CAE for your tenant; it is not a per-user Outlook toggle.
- New Outlook > File > Account > Account Settings > Security Info: Shows the token lifetime and refresh status, which reflects whether CAE is active.
- Windows Event Viewer > Applications and Services Logs > Microsoft > Office > Alerts: Logs CAE revocation events so you can confirm the feature is working.
What Changed Between Classic Outlook and New Outlook for Continuous Access Evaluation
Continuous Access Evaluation is a security feature in Azure Active Directory that enforces token revocation in near real-time. When a user’s access is revoked or a risk condition changes, CAE forces Outlook to reauthenticate within minutes instead of waiting for the token to expire. In classic Outlook, administrators could enable CAE through group policy or registry keys, and users could sometimes see CAE status in account diagnostics.
New Outlook for Windows uses a modern authentication stack built on top of the Microsoft Authentication Library. This stack handles CAE natively at the OS and app level. The CAE setting is no longer exposed in Outlook’s user interface because the feature is automatically enabled when your organization’s Conditional Access policy includes the session control for CAE. New Outlook respects the policy without requiring a separate toggle.
The change means that users who previously adjusted CAE settings in classic Outlook will not find a matching option in new Outlook. Instead, the feature is managed entirely through the Azure portal. This shift reduces configuration errors and ensures that CAE enforcement is consistent across all Microsoft 365 apps.
How to Verify Continuous Access Evaluation Is Active in New Outlook
Because the setting is not visible in new Outlook’s interface, you must verify CAE activity through account diagnostics and event logs. Use the following steps to confirm that CAE is working on your device.
- Open Account Diagnostics in New Outlook
In new Outlook, click File in the top-left corner. Click Account in the left pane. Under Account Settings, click Account Settings again. In the dialog that opens, click your email account and then click Change. Scroll down and click Security Info. - Check the Token Lifetime Value
In the Security Info section, look for the line labeled Token Lifetime. If CAE is active, the token lifetime shows a value of 24 hours or less. If CAE is not active, the token lifetime may show a longer duration such as 7 days. This is the most direct indicator of CAE status available to end users. - Check the Refresh Token Status
Below the token lifetime, look for the Refresh Token line. It should display Active with a recent timestamp. If the refresh token shows Expired or Revoked, CAE enforcement is likely working and has already revoked the session. - Test a Revocation Event
Ask your administrator to revoke your user session in the Azure portal. After revocation, switch to new Outlook and try to send an email. If CAE is active, Outlook will display a sign-in prompt within 5 to 10 minutes. If no prompt appears, CAE may not be enabled for your tenant. - Check Windows Event Logs for CAE Events
Open Event Viewer. Navigate to Applications and Services Logs > Microsoft > Office > Alerts. Look for events with Event ID 1000 and source ADAL or MSAL. These events log token revocation and CAE enforcement actions.
If You Cannot Confirm CAE Is Working in New Outlook
New Outlook shows a long token lifetime of 7 days or more
A token lifetime longer than 24 hours indicates that CAE is not enforced for your account. Contact your IT administrator to verify that the Conditional Access policy includes the session control for Continuous Access Evaluation. The administrator must set the policy to Enabled for all users or for a test group that includes your account. After the policy is applied, sign out of new Outlook and sign back in. Check the Security Info dialog again to confirm the token lifetime has shortened.
New Outlook does not prompt for reauthentication after a revocation
If your administrator revoked your session but new Outlook continues to work without a sign-in prompt, the CAE policy may not be applied correctly. Open new Outlook, click File > Account > Account Settings > Account Settings > Change > Security Info. Look for the Token Lifetime value. If it still shows a long duration, CAE is not active. Ask your administrator to run the CAE validation script available in the Microsoft 365 admin center under Health > Advisor. This script checks whether your tenant meets the prerequisites for CAE, including supported client versions and network configurations.
You see a CAE-related error message when signing in
If you see an error that says Continuous Access Evaluation failed or Token revocation failed, the issue is usually caused by a network proxy or firewall that blocks the CAE endpoints. New Outlook uses the following URLs for CAE: login.microsoftonline.com, login.windows.net, and login.live.com. Your network must allow HTTPS traffic to these endpoints on port 443. Additionally, the device must be able to reach the Token Revocation endpoint at login.microsoftonline.com/common/oauth2/v2.0/token. Work with your network team to unblock these URLs. After the network change, restart new Outlook and test again.
Classic Outlook vs New Outlook: CAE Configuration and Verification
| Item | Classic Outlook | New Outlook |
|---|---|---|
| CAE setting location | Group Policy or registry key (EnableContinuousAccessEvaluation) | Not exposed in UI; controlled by Azure AD Conditional Access policy |
| User verification method | File > Office Account > Account Privacy > Manage Settings > CAE status | File > Account > Account Settings > Change > Security Info > Token Lifetime |
| Token lifetime with CAE | 24 hours | 24 hours |
| Revocation enforcement | Depends on registry key and Outlook version | Automatic when CAE policy is enabled |
| Event log location | Applications and Services Logs > Microsoft > Office > Alerts | Same location |
After switching to new Outlook, you no longer manage CAE through Outlook settings. The feature is now a tenant-level policy enforced by Azure Active Directory. To verify CAE is active, check the Token Lifetime in the Security Info dialog. If the value is 24 hours or less, CAE is working. If you need to test enforcement, ask your administrator to revoke your session and watch for a sign-in prompt in new Outlook. For advanced troubleshooting, use the Event Viewer to confirm CAE revocation events are being logged.