{"id":71811,"date":"2025-08-12T06:39:05","date_gmt":"2025-08-12T14:39:05","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71811"},"modified":"2025-11-20T07:20:53","modified_gmt":"2025-11-20T15:20:53","slug":"real-time-security-with-continuous-access-evaluation-cae-comes-to-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/real-time-security-with-continuous-access-evaluation-cae-comes-to-azure-devops\/","title":{"rendered":"Real-Time Security with Continuous Access Evaluation (CAE) comes to Azure DevOps"},"content":{"rendered":"<blockquote>\n<p><strong>Update (Nov 20):<\/strong> Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by mid-December.<\/p>\n<\/blockquote>\n<p>We\u2019re thrilled to announce that <strong>Continuous Access Evaluation (CAE)<\/strong> is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to your development workflows.<\/p>\n<h2>\ud83d\udd10 What Is CAE?<\/h2>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-continuous-access-evaluation\">Continuous Access Evaluation (CAE)<\/a> is a feature from Microsoft Entra ID that enables <strong>near real-time enforcement of Conditional Access policies<\/strong>. Traditionally, Microsoft Entra access tokens in Azure DevOps are valid for up to an hour, meaning that even after a user\u2019s account is disabled or a password is changed, access may persist until the token expires. CAE changes that.<\/p>\n<p>With CAE, Azure DevOps can <strong>revoke access quickly<\/strong> after critical events occur, such as:<\/p>\n<ul>\n<li>User deletion or disablement <\/li>\n<li>Password changes or resets <\/li>\n<li>Admin-triggered token revocations <\/li>\n<li>Multi-factor Authentication enablement <\/li>\n<li>IP\/location changes<\/li>\n<\/ul>\n<p>This is achieved through a two-way conversation between Entra and Azure DevOps, allowing for access-time policy enforcement rather than relying solely on enforcement at time of token issuance. Real-time enforcement means that compromised accounts or policy violations are addressed as soon as we learn of the event, reducing exposure windows and improving incident response. (See <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-continuous-access-evaluation\" target=\"_blank\">Microsoft Entra documentation<\/a> for any expected considerations and latency per critical event.)<\/p>\n<p>These changes are now rolling out across the Azure DevOps web platform and ought to be available by end of August.<\/p>\n<h2>\ud83e\uddea What\u2019s Changing for Developers?<\/h2>\n<p>If you\u2019re using our latest <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.TeamFoundationServer.Client\/20.259.0-preview\">.NET client library<\/a>, you\u2019ll need to <strong>handle CAE rejections gracefully<\/strong>. When a token is rejected, the client will receive a 401 Unauthorized response with a <strong>claims challenge<\/strong>. Your app must extract the challenge, fetch a new token, and retry the request. CAE is expected to arrive in our Python and Go client libraries by the end of 2025.<\/p>\n<p>Learn more about <a href=\"https:\/\/learn.microsoft.com\/entra\/identity-platform\/claims-challenge?tabs=dotnet\">claims challenges<\/a> in the Entra documentation. We&#8217;ll also update this blog shortly with code samples for our latest .NET client library.<\/p>\n<p>Let us know what you think about this new CAE support in the comments below!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update (Nov 20): Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by mid-December. We\u2019re thrilled to announce that Continuous Access Evaluation (CAE) is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to your development [&hellip;]<\/p>\n","protected":false},"author":43580,"featured_media":71812,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224],"tags":[],"class_list":["post-71811","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"acf":[],"blog_post_summary":"<p>Update (Nov 20): Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by mid-December. We\u2019re thrilled to announce that Continuous Access Evaluation (CAE) is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to your development [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/43580"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71811"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71811\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71812"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}