Featured Microsoft Entra Identity Security Conditional Access

Advanced Conditional Access

by Niklas Tinner 6 min read

Introduction

Conditional Access is the heart of identity security in every Microsoft tenant. In my previous blog post I explained fundamental concepts and how to get started with it:

Conditional Access - The ultimate starter guide
Introduction In today’s world, workforce is more distributed and the security landscape keeps evolving. For IT security, identities and access management this brings some challenges along. A sign-in from a remote location, device or app may be suspect or originates from an attacker. However, we need to differentiate between legit
OceanleafNiklas Tinner

Let's have a look at advanced scenarios with Conditional Access in this post! My ambition is to show powerful features that sometimes fly under the radar. I will explain, show configs and present a solution idea for each advanced CA scenario.

TL;DR

  • Authentication Strengths - Require certain methods for MFA (e.g. phishing-resistant only)
  • Authentication Context - Require additional authentication & authorization for admin actions
    • Protected Actions - Protect sensible admin tenant tasks
    • Privileged Identity Management (PIM) - Just-in-time and & just-enough access for admin roles
  • Compliant Device Signal - Rely on Intune trust signal and device security
  • Device Filters - Filter for device attributes
  • Identity Protection - Auto-detection of risk signals for sign-ins and users
  • Token Protection - Bind token to avoid token replay attacks
  • Continuous Token Evaluation (CAE) - Strictly enforce location changes
  • Session Control with Defender for Cloud Apps - Monitor and apply session policies with Defender integration

Authentication Strengths

Authentication Strengths empower admins to require certain MFA methods such as passwordless or phishing-resistant methods. Make use of the built-in sets or create custom combinations and use it for the "Grant" enforcement in Conditional Access:

💡
Solution idea: Require phishing-resistant MFA for admins or standard users.

Authentication Context

Authentication Contexts are a trigger in Microsoft Entra for administrative tasks that are supported by Protected actions or for admin elevation with PIM. These contexts are triggering Conditional Access which then can enforce certain authentication/session policies.

Protected Actions

Protected Actions are a set of pre-defined admin actions, that currently cover:

  • Conditional Access policy management
  • Cross-tenant access settings management
  • Hard deletion of some directory objects
  • Custom rules that define network locations
  • Protected action management

When an admin tries to manipulate (create, change, delete) one of those aspects in Entra, it will trigger the CA policy.

Privileged Identity Management (PIM)

Microsoft Privileged Identity Management (PIM) is an Entra ID Premium Plan 2 feature to secure elevated rights, include approval processes and manage admin roles just-in-time and with just-enough access. Read my dedicated post:

Privileged Identity Management (PIM) concept + setup
Introduction Privileged Identity Management (PIM) is no longer a hidden gem in the Microsoft cloud ecosystem. It was originally released almost 10 years ago! I know there is already a lot of great content out there on it, but this blog post will be my personal summary. What to expect
OceanleafNiklas Tinner

Use PIM + Authentication Context to require certain conditions when an admin wants to activate a role.

💡
Solution idea: Activate Authentication Context for Protected Actions & privileged admins roles via PIM to enforce phishing-resistant MFA, a compliant device and re-authentication at every sign-in.

Compliant Device Signal

Intune evaluates compliance for its managed endpoints. This signal can be interconnected with Defender for Endpoint and delivers the result to Conditional Access. Read more:

Intune compliance intro
Introduction Most organizations have compliance requirements for dozens of topics, spanning both technical and non-technical domains, as they are in a complex landscape of regulations, standards, and best practices to ensure the integrity, security, and conduct of their operations. This post is just picking one technical subject out of it,
OceanleafNiklas Tinner
💡
Solution idea: Leverage Intune compliance and Defender for Endpoint risk score in CA policies whenever possible!

Device Filters

Device Filters are a condition in Conditional Access that query device attributes during a login flow. It is possible to include or exclude devices that match a certain filter criteria.

💡
Solution idea: Depending on your policy requirements, it may be beneficial to use the device filter condition. Attributes like Trust Signals, Compliance state, or ExtensionAttributes can be especially useful.
This enables new Conditional Access logic that complements the traditional grant and require settings. For example, allowing you to explicitly block all access except for devices that match specific filter criteria.

Identity Protection

Identity Protection utilizes machine learning to detect and identify anomalies from user behaviors. This feature labels users or sign-ins with a risk score. That exact score can be used in Conditional Access to apply Grant or Session policies.

Token Protection

New: Token Protection is now an Entra ID Plan 1 feature. Previously only available in Entra ID Plan 2. Feature is still in preview.

Token Protection, also known as Token Binding, ensures that an access token can only be used by the originally authenticated client. This prevents token replay attacks from other devices if the token is stolen. In Conditional Access, Token Protection is used as a session control to strengthen session security.

💡
Solution idea: Enable this feature for supported applications, if possible.

Continuous Token Evaluation (CAE)

Continuous Access Evaluation allows real-time enforcement of critical policy changes, such as user disablement or token revocation, without waiting for the token lifetime to expire. It leverages event-based signals from Microsoft Entra, such as password changes or risk detections, to revoke access instantly. CAE is by default enabled, but can be sharpened with configuration in Conditional Access to be enforced strictly for location changes.

💡
Solution idea: Enable this feature, only if needed and rely on Microsoft to assure real-time enforcement of critical user events.

Session Control with Defender for Cloud Apps

Microsoft Defender for Cloud Apps (MDCA) extends Conditional Access by enabling app-specific session policies in real time. These allow granular controls like blocking downloads, copy/paste, printing, or enforcing step-up authentication. Read my full blog post:

Overview: Session policies with Conditional Access App Control and Defender for Cloud Apps
Solution overview Through Software as a Service (SaaS), many corporate applications and data now reside in the cloud and, in most cases, can be accessed from any browser. This interactions can be monitored and governed through Defender for Cloud Apps. A browser is independent of device management (MDM) or application
OceanleafNiklas Tinner
💡
Solution idea: MDCA is ideal for protecting sensitive data in applications with elevated data exposure risks.
However, since this feature has remained in public preview for an extended period, thorough testing and validation in your environment is strongly recommended.

powered by Oceanleaf

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.