{"id":71811,"date":"2025-08-12T06:39:05","date_gmt":"2025-08-12T14:39:05","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71811"},"modified":"2026-04-28T12:29:19","modified_gmt":"2026-04-28T20:29:19","slug":"real-time-security-with-continuous-access-evaluation-cae-comes-to-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/real-time-security-with-continuous-access-evaluation-cae-comes-to-azure-devops\/","title":{"rendered":"Real-Time Security with Continuous Access Evaluation (CAE) comes to Azure DevOps"},"content":{"rendered":"<blockquote>\n<p><strong>Update (April 17, 2026):<\/strong> Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by May 2026.<\/p>\n<\/blockquote>\n<p>We\u2019re thrilled to announce that <strong>Continuous Access Evaluation (CAE)<\/strong> is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to your development workflows.<\/p>\n<h2>What Is CAE?<\/h2>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-continuous-access-evaluation\">Continuous Access Evaluation (CAE)<\/a> is a feature from Microsoft Entra ID that enables <strong>near real-time enforcement of Conditional Access policies<\/strong>. Traditionally, Microsoft Entra access tokens in Azure DevOps are valid for up to an hour, meaning that even after a user\u2019s account is disabled or a password is changed, access may persist until the token expires. CAE changes that.<\/p>\n<p>With CAE, Azure DevOps can <strong>revoke access quickly<\/strong> after critical events occur, such as:<\/p>\n<ul>\n<li>User deletion or disablement <\/li>\n<li>Password changes or resets <\/li>\n<li>Admin-triggered token revocations <\/li>\n<li>Multi-factor Authentication enablement <\/li>\n<li>IP\/location changes<\/li>\n<\/ul>\n<p>This is achieved through a two-way conversation between Entra and Azure DevOps, allowing for access-time policy enforcement rather than relying solely on enforcement at time of token issuance. Real-time enforcement means that compromised accounts or policy violations are addressed as soon as we learn of the event, reducing exposure windows and improving incident response. (See <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-continuous-access-evaluation\" target=\"_blank\">Microsoft Entra documentation<\/a> for any expected considerations and latency per critical event.)<\/p>\n<p>These changes are now rolling out across the Azure DevOps web platform and ought to be available by end of August.<\/p>\n<h2>VPN considerations for Azure DevOps and CAE<\/h2>\n<p>When using Azure DevOps with Continuous Access Evaluation (CAE), VPN configurations can affect how client IP addresses are observed. In particular, VPN split tunneling, dual IPv4\/IPv6 networking, or differing VPN egress paths can cause Microsoft Entra ID and Azure DevOps to see different client IP addresses for the same session.<\/p>\n<p>We\u2019ve seen cases where customers using a VPN expected all traffic to flow through a single corporate IP, but authentication to Microsoft Entra ID occurred outside the VPN while Azure DevOps traffic flowed through it (or vice versa). This resulted in apparent \u201clocation changes\u201d mid-session, even though the user experience appeared unchanged. When this occurs, <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/howto-continuous-access-evaluation-troubleshoot#ip-address-configuration\">CAE may issue a one-hour CAE token and temporarily ignore client location change events<\/a> to avoid repeated sign-in loops, while still enforcing other CAE signals. This behavior is expected and helps maintain sign-in stability in environments with legitimate IP variability.<\/p>\n<p>Alternatively, we&#8217;ve noticed some users may enable the VPN only to sign in. In this case, the user should remain connected to the VPN for the duration of the session.<\/p>\n<p>Administrators can investigate such scenarios using Entra sign-in logs and the CAE Insights workbook. They can reduce friction by configuring trusted named locations for known corporate VPN IP ranges. Learn more about these techniques for <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/howto-continuous-access-evaluation-troubleshoot\">monitoring and troubleshooting continuous access evaluation<\/a> issues in the Entra docs.<\/p>\n<p>If you encounter unexpected behavior related to CAE, you should first review and validate your system&#8217;s VPN and IP address configurations. These configurations should then be accounted for in Microsoft Entra Conditional Access and named location setups.<\/p>\n<h2>What\u2019s Changing for Developers?<\/h2>\n<p>If you\u2019re using our latest <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.TeamFoundationServer.Client\/20.259.0-preview\">.NET client library<\/a>, you\u2019ll need to <strong>handle CAE rejections gracefully<\/strong>. When a token is rejected, the client will receive a 401 Unauthorized response with a <strong>claims challenge<\/strong>. Your app must extract the challenge, fetch a new token, and retry the request. CAE is expected to arrive in our Python and Go client libraries by the end of 2025.<\/p>\n<p>Learn more about <a href=\"https:\/\/learn.microsoft.com\/entra\/identity-platform\/claims-challenge?tabs=dotnet\">claims challenges<\/a> in the Entra documentation. We&#8217;ll also update this blog shortly with code samples for our latest .NET client library.<\/p>\n<p>Let us know what you think about this new CAE support in the comments below!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update (April 17, 2026): Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by May 2026. We\u2019re thrilled to announce that Continuous Access Evaluation (CAE) is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to [&hellip;]<\/p>\n","protected":false},"author":43580,"featured_media":71812,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,1,251],"tags":[],"class_list":["post-71811","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops","category-security"],"acf":[],"blog_post_summary":"<p>Update (April 17, 2026): Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by May 2026. We\u2019re thrilled to announce that Continuous Access Evaluation (CAE) is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/43580"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71811"}],"version-history":[{"count":2,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71811\/revisions"}],"predecessor-version":[{"id":72731,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71811\/revisions\/72731"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71812"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}