How to Apply Conditional Access to PIM Activation in Microsoft Entra

Authentication Contexts play a pivotal role in ensuring that highly sensitive tasks in Microsoft Entra can benefit from additional security and/or additional verification before being actioned. These core security principles are also applied to an elevation of privilege through PIM. In this tutorial, I will walk you through how to configure additional security for the PIM role activation task in Microsoft Entra.

Authentication Contexts and Conditional Access

Authentication Contexts and Conditional Access policies work hand in hand to apply additional protection and security requirements to specific tasks in Microsoft Entra. For example, to elevate permissions in PIM (Privileged Identity Management) we can apply an Authentication Context to the PIM role, then target that Authentication Context with a Conditional Access policy to enforce certain security controls. This could include requirements such as:

  • Location by IP address
  • Authentication Strengths (specific MFA methods)
  • Device compliance
  • Sign-in frequency
  • Token protection
Resource protection with Authentication Context and Conditional Access
Resource protection with Authentication Context and Conditional Access

Creating a Conditional Access policy and Authentication Context

Create a new Conditional Access policy

It is recommended to create a new Conditional Access policy first that contains all your required security controls and then assigning the Authentication Context. This is to avoid potential configuration issues that may leave this action unprotected. Create a new Conditional Access policy by following the below steps:

  1. In Microsoft Entra, go to Protection > Conditional Access > Create new policy.
  2. Give your policy a name and assign All users.
  3. Under Access controls select Grant and enable your desired controls. I have selected Require authentication strength and Require device compliance.
  4. Enable your policy and click Create. (at this point, your policy is not assigned to any resource).

Create a new Authentication Context

Follow the below steps to create a new Authentication Context and apply is to your Conditional Access policy.

  1. In Microsoft Entra, go to Protection > Conditional Access.
  2. Under Manage, select Authentication context > New authentication context.
  3. Define a name and check the box to publish to apps.
  4. Click Save.
  5. Head back to your Conditional Access policy to modify it.
  6. Select Target resources and select Authentication context from the dropdown under what this policy applies to.
  7. Select your Authentication context and click Save.
Assign Authentication Context to a Conditional Access policy
Assign Authentication Context to a Conditional Access policy

Assigning an Authentication Context to a PIM role

By assigning an Authentication context to a PIM role you are able to target its activation with the security controls scoped to the Authentication context through Conditional Access. Follow the below steps to assign your Authentication context to your PIM role.

  1. In Microsoft Entra, go to Identity Governance> Privileged Identity Management.
  2. Under Manage, select Microsoft Entra Roles > Roles.
  3. Find your target role, in my case, I will select the Global Administrator role.
  4. Select Role settings, then click Edit.
  5. Next to On action, require, select Microsoft Entra Conditional Acces authentication context and select your authentication context from the drop-down list.
  6. Click Save.
Conditional Access Authentication Context for PIM
Conditional Access Authentication Context for PIM

Activating your PIM role

To activate a PIM role the user must have access to the PIM blade in either the Azure Portal or Microsoft Entra Admin center. To active a PIM role from Microsoft Entra follow the below steps:
  1. In Microsoft Entra, go to Identity Governance> Privileged Identity Management.
  2. Select My roles.
  3. Under the Eligible assignments tab, select Active next to your desired role.
  4. The request will first be validated, the option to Activate will be greyed out until the additional verification is complete, this is being enforced by the Conditional Access policy.
Additional verification for PIM role activation
Additional verification for PIM role activation

Click on the warning barrier and your page will be redirected to the Microsoft 365 authentication experience. Once successful, you will be redirected to continue with your role activation. Just complete any final steps and your role will be activated.

Successful PIM role activation
Successful PIM role activation

Tidying up the loose ends

Enforcing additional security verification during PIM activation is useful to ensure rights are not being activated during an account take-over such as thorough token theft or physical device access, it still leaves some doors open while the privileged directory role is in play. Consider creating an accompanying Conditional Access policy which targets all directory roles to apply the same additional level of security.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply