Authentication Contexts play a pivotal role in ensuring that highly sensitive tasks in Microsoft Entra can benefit from additional security and/or additional verification before being actioned. These core security principles are also applied to an elevation of privilege through PIM. In this tutorial, I will walk you through how to configure additional security for the PIM role activation task in Microsoft Entra.
Authentication Contexts and Conditional Access
Authentication Contexts and Conditional Access policies work hand in hand to apply additional protection and security requirements to specific tasks in Microsoft Entra. For example, to elevate permissions in PIM (Privileged Identity Management) we can apply an Authentication Context to the PIM role, then target that Authentication Context with a Conditional Access policy to enforce certain security controls. This could include requirements such as:
- Location by IP address
- Authentication Strengths (specific MFA methods)
- Device compliance
- Sign-in frequency
- Token protection
Creating a Conditional Access policy and Authentication Context
Create a new Conditional Access policy
It is recommended to create a new Conditional Access policy first that contains all your required security controls and then assigning the Authentication Context. This is to avoid potential configuration issues that may leave this action unprotected. Create a new Conditional Access policy by following the below steps:
- In Microsoft Entra, go to Protection > Conditional Access > Create new policy.
- Give your policy a name and assign All users.
- Under Access controls select Grant and enable your desired controls. I have selected Require authentication strength and Require device compliance.
- Enable your policy and click Create. (at this point, your policy is not assigned to any resource).
Create a new Authentication Context
Follow the below steps to create a new Authentication Context and apply is to your Conditional Access policy.
- In Microsoft Entra, go to Protection > Conditional Access.
- Under Manage, select Authentication context > New authentication context.
- Define a name and check the box to publish to apps.
- Click Save.
- Head back to your Conditional Access policy to modify it.
- Select Target resources and select Authentication context from the dropdown under what this policy applies to.
- Select your Authentication context and click Save.
Assigning an Authentication Context to a PIM role
By assigning an Authentication context to a PIM role you are able to target its activation with the security controls scoped to the Authentication context through Conditional Access. Follow the below steps to assign your Authentication context to your PIM role.
- In Microsoft Entra, go to Identity Governance> Privileged Identity Management.
- Under Manage, select Microsoft Entra Roles > Roles.
- Find your target role, in my case, I will select the Global Administrator role.
- Select Role settings, then click Edit.
- Next to On action, require, select Microsoft Entra Conditional Acces authentication context and select your authentication context from the drop-down list.
- Click Save.
Activating your PIM role
- In Microsoft Entra, go to Identity Governance> Privileged Identity Management.
- Select My roles.
- Under the Eligible assignments tab, select Active next to your desired role.
- The request will first be validated, the option to Activate will be greyed out until the additional verification is complete, this is being enforced by the Conditional Access policy.
Click on the warning barrier and your page will be redirected to the Microsoft 365 authentication experience. Once successful, you will be redirected to continue with your role activation. Just complete any final steps and your role will be activated.
Tidying up the loose ends
Enforcing additional security verification during PIM activation is useful to ensure rights are not being activated during an account take-over such as thorough token theft or physical device access, it still leaves some doors open while the privileged directory role is in play. Consider creating an accompanying Conditional Access policy which targets all directory roles to apply the same additional level of security.