Implement Entra ID Conditional Access step-up and continuous access evaluation (CAE) in an API protected by Microsoft identity platform

Verified steps

1. Register the API in Entra ID and enable CAE opt-in by declaring the xms_cc claim requirement in the app registration manifest or via the Microsoft Authentication Library (MSAL) CAE capability declaration
2. Configure the API to validate access tokens and handle CAE-specific claims: check for the xms_cc claim indicating the token was issued to a CAE-capable client; check xms_ssm (session management) and xms_rl (revocation list) claims when present
3. Implement the claims challenge response: when Entra revokes a session event (e.g. password change, location policy change), the token introspection will signal this; return HTTP 401 with a WWW-Authenticate: Bearer realm="", authorization_uri="...", error="insufficient_claims", claims=<base64-encoded-claims-challenge> header
4. The MSAL-enabled client parses the claims challenge, re-authenticates with the claims parameter appended to the authorization request, and obtains a new access token satisfying the challenged claims
5. For Conditional Access step-up, configure CA policies in Entra that require MFA or compliant device for specific app scopes; when a user accesses a protected endpoint without the required CA policy satisfied, return the appropriate claims challenge
6. Test CAE behavior by revoking a user session in Entra Admin Center and verifying that API calls with the revoked token are rejected within the CAE propagation window (typically under 15 minutes)