Authentication Context + Conditional Access + PIM

Description

So we now have a new feature that`s awesome!
Have a look at Authentication Context within Azure AD Conditional Access.

What we can do with this is to force difference authentication methods for certain applications based on Conditional Access or we can use this to be able to force for example a FIDO2 authentication when using Privileged Authentication Management for elevating ourself for a role. That role can be within Azure AD or Azure RBAC for that matter.

Setup of Authentication Context + Conditional Access + PIM

Pre-req for this to work is that your tenant is already setup and ready for using FIDO2 as a strong authentication method.

Create a new Authentication context

So the first thing we need to do is to create a Authentication Context. We do that by heading into Azure AD -> Security -> Conditional Access -> Authentication Context and click on “New authentication context”

Add a new Authentication context in your environment

When that`s done – let`s setup the Conditional Access rule that`s going to enforce the FIDO2 for end-users.

Create a new Conditional Access policy

Let`s go to “Policies -> New policy”

  • Give it a name for example: “C2 – Auth Context require FIDO2”
  • Scope it for “All users”
  • Cloud apps or actions -> Set this to “Authentication context” and then choose the context that you created (in my case: Require FIDO).
  • Grant -> here we setup the usage of “Require authentication strengt” and choose “Phising-resistant MFA”
  • Save it!
Setup of Autnentication context in Conditional Access

Setup a PIM role to use Authentication Context

Head into PIM and navigate to “Azure Resources” and go into one of your subscriptions.

Azure Resources in Privileged Identity Management

Next click on “Manage -> Settings” then find a RBAC role you want to make more secure. In my case i use thos for the Owner or User Access Administrator roles. When heading into the selected role click on “Edit” and change the “On activation, require” setting to match your Authentication Context that we created earlier and click update.

Add a Authentication context to activation of this role

End user feeling

So when a end-user want`s to elevate to Owner for a subscription that is protected by a Authentication strength this is how it looks in Privileged Identity Management

He will be prompted to do an extra verification

And for me who has FIDO2 enabled and setup on my user it will prompt me to use Windows Hello or Security key to verify my account

When you have verified your account you can go on and activate the role that you want.

Conclution

When using Authentication Context together with Conditional Access and Phishing resistant MFA it gives admins and owners better segregation and control over privileged roles on their subscription. Here we can use this to require FIDO2 for all roles that can do changes, but maybe just use regular number matching for all other roles like “Reader” or something like that.

PS: Authentication strength is a Preview feature at the moment (08.03.2023) and so is also using Azure AD Conditional Access authentication context (Preview) in Privileged Identity Protection.