Microsoft Entra ID

Step-by-Step Guide to Azure AD PIM and Conditional Access Integration (Public Preview)

In privilege identity management, we can enforce MFA verification during the activation process. When this setting is in place, eligible users should have valid MFA claims to proceed with the role activation. But now we can use conditional access policies with PIM role activation. This will allow us to enforce more advanced controls than MFA on role activation. As an example, before the user activates high sensitive role, we can check if the user device is marked as complaint and if the device is Azure AD join. In this blog post, I am going to demonstrate how we can integrate conditional access policy with Azure AD PIM. The high-level tasks for the activity are as follows,

• Create Azure AD Conditional Access authentication context
• Setup Azure AD Conditional Access policy and assign it to the authentication context
• Tag authentication context in Azure AD PIM role settings

Create Azure AD Conditional Access authentication context

Authentication context is used to secure data and actions in applications such as SharePoint, MDCA ( Microsoft Defender for Cloud Apps), and Azure AD PIM. It also can use with your own custom applications or LOB applications. It works as a bridge to connect applications and conditional access policies. After the authentication context is created, we can assign a conditional access policy to it. Then within the application, we can tag the authentication context to apply the policy settings attached to it.

To create an access authentication context,

1) Log in to Azure portal https://portal.azure.com

2) Go to Azure AD Conditional Access | Authentication context and click on + New authentication context

setup new authentication context

3) Then provide a name, and description for the authentication context. Make sure to select Publish to app option and that will allow using the authentication context in applications. Finally, click on Save to create the authentication context.

authentication context configuration

newly created authentication context

The next step of the configuration is to create an Azure AD conditional access policy.

Setup Azure AD Conditional Access policy and assign it to the authentication context

Now we have authentication context in place. Let’s go ahead and create Azure AD conditional access policy with relevant controls.

To do that,

1) Log in to Azure portal https://portal.azure.com

2) Go to Azure AD Conditional Access | Policies and click on + New policy

Creating new conditional access policy

3) In the policy configuration wizard, provide a name for the policy to start.

4) Then click on Users and select the scope. In this demo, I am going to apply it to all users.

setting user assignment scope

5) The next step is to assign the policy to the authentication context. To do that click on Cloud apps or actions and then from the drop-down select Authentication context

select authentication context as the action

6) This will list down the authentication context we created under the previous section. Select it from the list.

select authentication context as the target

7) Then under access controls click on Grant. In this demo, I am going to allow access if the device is marked as compliant and Azure AD Join. Select the relevant controls as listed below and click Select.

define conditional access access controls

8) Finally, change the policy mode to On and click on Create.

enable conditional access policy

In the next section let’s see how we can integrate the conditional access policy with Azure AD PIM.

Tag authentication context in Azure AD PIM role settings

Now we have the authentication context as well as the conditional access policy. The next step is to tag this authentication context in PIM role settings to enforce the new controls.

In my demo environment, I already have PIM role configured. More info about PIM role configuration is available at https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user

To change the PIM settings,

1) Log in to Azure portal https://portal.azure.com

2) Then go to Privileged Identity Management | Azure AD Roles

Azure AD PIM roles

3) In the next window click on Roles under the Manage section

available azure ad roles

4) From the list, click on the role you selected. In this demo, I am going to use the Conditional Access Administrator role.

selecting azure ad role

5) As we can see I already have an eligible assignment configured.

list eligible assignments

6) To change the settings click on the Role settings.

changing azure ad PIM role settings

7) Then to change the settings click on Edit

edit existing role settings

8) In there we can see the Azure AD Conditional Access authentication context (Preview) option under the activation settings. Click on that and then on the drop-down select the authentication context we created in the previous step.

tag conditional access authentication context

9) Finally, click on Update to apply the new changes.

This completes the configuration steps. The next step is to test this new configuration.

Testing

In my demo scenario, I want to make sure when an eligible user activates the role, he uses Azure AD joined compliant devices. For testing purposes, I am going to log in as an eligible user from a non-managed device and try to activate the role.

To do that,

1) I logged in to https://portal.azure.com as the test user

2) Then go to Privileged Identity Management | My roles

3) Under the roles select the relevant role and click on Activate

activating Azure AD PIM role

4) In the new window, now we can just directly go ahead and activate, there is a message in there saying “A Conditional Access policy is enabled and may require additional verification. Click to Continue”. To proceed please click on it.

conditional access policy checks during the role activation

5) As expected it issued an error saying the role only can activate from a managed device.

Azure AD PIM role activation failure

6) Also if I logged in from a managed device, now I can see the option to activate.

allowed role activation

As we can see before PIM role activation the conditional access controls in place is verified. This marks the end of this blog post, If you have any further questions, feel free to contact me at rebeladm@live.com.

Related posts
Microsoft Entra ID

Step-by-Step: Enabling MFA for Azure Administrative Portals via Microsoft Entra ID Conditional Access

As per the recent Microsoft Digital Defense Report 2023 (available at…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *