Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
February 20, 2023February 20, 2023

Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management

Microsoft has extended the capabilities of Azure AD authentication context to Azure AD Privileged Identity Management (PIM). By doing this we can trigger a Conditional Access policy to be executed at the moment someone elevates their role using Azure AD PIM. This functionality is now in preview.

In June 2021 I already provided a first look at Azure AD Conditional Access authentication context, please read this article first if you want to know more about this functionality.

A first look at Azure AD Conditional Access authentication context
A first look at Azure AD Conditional Access authentication context

Up until now, we had the option to require MFA for elevation of a Azure AD when defined in PIM, and this has now been extended to modify this to “Azure AD Conditional Access authentication context”

In the example below, we modified the Global Administrator role so that the “Step up Authentication for PIM” authentication context is selected when elevating for this role.

Select Authentication Context for Azure AD Roles in PIM

Once this setting has been modified, we can create a Conditional Access policy which requires Step Up MFA using Authentication Strength for example. See the following article for more information about Authentication Strength.

Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength
Authentication Strength overview

So, let’s create a new Conditional Access policy which gets triggered when the Authentication Context is hit.

The first thing we have to do is to target the Conditional Access policy to “Authentication Context”, and select the “Step up Authentication for PIM”

Authentication Context action in the Assignments section of a Conditional Access Policy

Next we can select the Grant controls which are required to give access, in this example we require the “Admin MFA” authentication strength

Admin MFA authentication strength

Conclusion

Adding authentication context to Azure AD Priviliged Identity Management (PIM) is a welcome addition to further leverage the flexibility of Authentication Context.

In the example of this blogpost we used the Step up MFA as an example, but we can also use other Grant controls, like for example only allow elevation on a Compliant or Hybrid Azure AD joined Device.

Resources

Cloud apps, actions, and authentication context in Conditional Access policy – Azure Active Directory – Microsoft Entra | Microsoft Learn

Tweet
Follow me
Tweet #WPNinjasNL

Continue Reading

← Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types

1 thought on “Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management”

  1. Pingback: Intune Newsletter - 24th February 2023 - Andrew Taylor

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Speaking at the European SharePoint Conference (ESPC) about Microsoft Entra ID Conditional Access
  • Microsoft Intune Application Deployment Best Practices
  • Speaking at the Workplace Ninja Summit, September 27-29 2023
  • Speaking at the Cloud Identity Summit 2023, on September 7th 2023
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • November 2023
  • September 2023
  • August 2023
  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (43)
  • Azure (3)
  • AzureAD (68)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Entra Id (2)
  • Events (13)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (19)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (68)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (8)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (52)
  • Service Manager (4)
  • Speaking (25)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (31)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • 14 dicas para evitar comprometer o e-mail comercial - Blog da Neotel Segurança Digital on Microsoft is making changes related to automatic email forwarding for ATP customers, here is what you need to know
  • The latest technology news Week 46-2023 - ivobeerens.nl on Microsoft Intune Application Deployment Best Practices
  • Naz on Microsoft Intune Application Deployment Best Practices
  • Bruno Manhães Siqueira on Microsoft Intune Application Deployment Best Practices
  • Intune Newsletter - 17th November 2023 - Andrew Taylor on Microsoft Intune Application Deployment Best Practices

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT