access not constrained at runtime Evaluation (CAE), deployed by Microsoft beginning in 2021, provides near-real-time revocation signaling for a defined set of triggers: account disable, password reset, high-risk sign-in detection from Identity Protection, and explicit token revocation. It does not cover all revocation events. It does not cover all resource providers - coverage depends on the resource implementing the CAE protocol. For resources outside CAE scope, for revocation events CAE does not surface, and for environments without enforced sign-in frequency policies, the access decision remains a function of token age. Conditional Access sign-in frequency policies can enforce re-authentication intervals but operate at session level, not at each resource access event. These are supplementary controls layered on top of an unchanged core validation loop.
The system is operating as designed. The design assumes policy, entitlement, and device state remain stable across a token's lifetime. That assumption held in environments where authentication events were bounded by physical sessions and on-premises network boundaries. It did not hold as session lifetimes extended across distributed infrastructure, remote access patterns, and automated workloads. The token expiration clock defines the access window. Entitlement changes that occur within that window are not reflected until the token expires and a new one is issued - or until an administrator intervenes. The system does not revoke access. It allows access to age out.