As soon as a consumer is authenticated by way of Entra ID, they continue to be signed in so long as the session is legitimate—even when they shut and reopen the browser. Nonetheless, in eventualities involving delicate duties or high-risk operations, it’s useful to require reauthentication. Forcing a recent sign-in provides an additional layer of safety by lowering the chance of session hijacking and token replay assaults. It additionally prevents attackers from sustaining persistence throughout companies and gadgets, limiting their capability to maneuver laterally inside the atmosphere.
A standard instance is when a consumer elevates their permissions to a higher-privileged position utilizing Entra ID Privileged Identification Administration (PIM). By leveraging Conditional Entry reauthentication insurance policies, we will require customers to reauthenticate earlier than gaining privileged entry—including an necessary layer of safety. On this weblog submit, I’ll Stroll by way of easy methods to configure this coverage step-by-step.
Excessive-Stage Configuration Duties
The next steps define the configuration course of for implementing reauthentication utilizing Conditional Entry and Privileged Identification Administration (PIM):
- Create an Authentication Context in Conditional Entry.
- Replace Entra ID Privileged Identification Administration (PIM) to affiliate the related position with the Authentication Context.
- Create a Conditional Entry coverage that enforces reauthentication based mostly on the outlined context.
Step 1: Create an Authentication Context
Authentication Context permits you to outline a label that represents a selected authentication requirement (e.g., MFA, compliant gadget, reauthentication). This label might be referenced in PIM configurations and Conditional Entry insurance policies.
To create an Authentication Context:
- Check in to the Microsoft Entra admin heart.
- Navigate to Safety > Conditional Entry > Authentication context.
- Click on + New authentication context.
4.Within the creation pane, present a Title and Description for the context.
5. Click on Save to create the context.
Step 2: Replace PIM Configuration
On this setup, the Safety Administrator position is already managed by way of Privileged Identification Administration (PIM). For extra info on configuring PIM roles, consult with the official documentation:
🔗 Configure Microsoft Entra PIM
The following step is to affiliate the beforehand created Authentication Context with the PIM position to implement conditional entry insurance policies throughout position activation.
To replace PIM with Authentication Context:
- Check in to the Microsoft Entra admin heart.
- Navigate to Identification Governance > Privileged Identification Administration, and choose the position you need to modify (on this instance, Safety Administrator).
- Click on on Settings.
4. Within the Position settings pane, choose Edit.
5. Beneath the On activation, require part, select Microsoft Entra Conditional Entry authentication context.
6. From the dropdown menu, choose the Authentication Context you created earlier.
7. Click on Replace to avoid wasting and apply the modifications.
Step 3: Create a Conditional Entry Coverage to Implement Reauthentication
The ultimate step is to create a Conditional Entry coverage that forces reauthentication at any time when a consumer prompts a privileged position protected by the authentication context.
To create the Conditional Entry coverage:
- Check in to the Microsoft Entra admin heart.
- Navigate to Safety > Conditional Entry.
- Click on + Create new coverage.
- Within the coverage creation pane:
o Present a significant title for the coverage.
o Beneath Customers, choose the customers or teams this coverage ought to apply to.
o Beneath Goal sources, select Authentication context, after which choose the context you created earlier.
- Go to the Session part and configure Signal-in frequency to Each time. This setting ensures that customers are prompted for reauthentication every time the context is invoked.
- Allow the coverage by toggling On, then click on Create to finalize it.
Testing the Configuration
With all of the required configurations in place, the subsequent step is to check the Conditional Entry reauthentication coverage in motion.
I signed in to the Azure portal utilizing a consumer account that’s eligible for the Safety Administrator position.
Navigating to PIM > My roles > Eligible assignments, I situated the Safety Administrator position and clicked Activate.
At this stage, a message seems on the activation web page:
“A Conditional Entry coverage is enabled and will require further verification. Click on to proceed.”
No additional motion might be taken on this display till this immediate is addressed, so I clicked the hyperlink as instructed.
As anticipated, I used to be prompted to reauthenticate, consistent with the coverage we configured.
After efficiently reauthenticating, I used to be redirected again to the position activation web page, the place I might now enter the required justification and extra particulars.
Clicking Activate accomplished the position activation course of efficiently.
✅ This confirms that the Conditional Entry coverage implementing reauthentication is working as meant for PIM position activation.
This concludes the weblog submit. I hope it has supplied you with a transparent understanding of easy methods to configure and implement Conditional Entry reauthentication for Privileged Identification Administration roles utilizing Authentication Context.
