Merge pull request #178889 from lujiangfeng666/patch-20

PRMerger20 · web-flow · commit be59841c0712 · 2021-11-05T11:04:58.000-07:00
Update concept-conditional-access-session.md
diff --git a/articles/active-directory/conditional-access/concept-conditional-access-session.md b/articles/active-directory/conditional-access/concept-conditional-access-session.md
@@ -73,10 +73,10 @@ For more information, see the article [Configure authentication session manageme
 
 [Continuous access evaluation](concept-continuous-access-evaluation.md) is auto enabled as part of an organization's Conditional Access policies. For organizations who wish to disable or strictly enforce continuous access evaluation, this configuration is now an option within the session control within Conditional Access. Continuous access evaluation policies can be scoped to all users or specific users and groups. Admins can make the following selections while creating a new policy or while editing an existing Conditional Access policy.
 
-- **Disable** is accomplished when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy.
-- **Strict enforcement** means that any critical event and policy will be enforced in real time. All CAE-capable services always get CAE tokens, whatever the client or user might ask for or do. There are two scenarios where CAE won't come into play when strict enforcement mode is turned on:
-   - Non-CAE capable clients shouldn't get a regular token for CAE-capable services.
-   - Reject when IP seen by resource provider isn't in the allowed range.
+- **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups.
+- **Strict enforcement** can be used to further strengthen the security benefits from CAE. It will make sure that any critical event and policy will be enforced in real time.  There are two additional scenarios where CAE will enforce when strict enforcement mode is turned on:
+   - Non-CAE capable clients will not be allowed to access CAE-capable services.
+   - Access will be rejected when client's IP address seen by resource provider isn't in the Conditional Access's allowed range.
 
 > [!NOTE] 
 > You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, users in your tenants could be blocked.
