In this blog post, I’ll provide a step by step guide on how to enforce admin reauthentication when elevating a role in Azure Privileged Identity Management (PIM) using a Conditional Access policy.
But why would you want an admin to reauthenticate?
Once an admin signs in to the Azure portal, they typically don’t need to authenticate again during that session. Sounds convenient, right? But here’s the problem. If an admin needs to access PIM to elevate their role, they can do so without reauthenticating, because they’re already signed in. This creates a potential security risk. If a bad actor gains access to an authenticated session, they could elevate the admin’s role and cause serious damage to your environment.
By enforcing reauthentication through Conditional Access, you add an extra layer of protection. The admin will be required to verify their identity again before they can elevate to a privileged role, helping to prevent unauthorised access and safeguard your platform.
In this blog post I will:
- create an Authentication Context.
- create a conditional access policy (including the Authentication Context), that prompts for reauthentication when an admin attempts to elevate a role in PIM.
- associate the Authentication Context with a PIM role
- test
Task 1: Create an Authentication Context
Authentication context can be used to enhance the security of data and actions within applications. These applications might include your own custom apps, line of business (LOB) solutions, SharePoint, or services protected by Microsoft Defender for Cloud Apps.
For example, an organisation may store files in SharePoint sites, ranging from something simple like a lunch menu to something more sensitive like a secret BBQ sauce recipe. While everyone might have access to the lunch menu site, access to the secret BBQ sauce recipe site could require users to be on a managed device, use a FIDO2 security key, and accept specific terms of use. Authentication context can help enforce these policies.
Authentication context can also be applied in Privileged Identity Management (PIM). For instance, you might require administrators requesting high privilege roles, such as Global Administrator, to authenticate using a FIDO2 key, only allow access from a trusted location, a compliant device and so on.
In this blog post, we’ll focus on a specific use case, prompting administrators to reauthenticate before an admin role is assigned to them via PIM.
Let’s go through the steps
- Access Entra ID via the Azure Portal portal.azure.com or Entra portal at entra.microsoft.com
- In the search bar, type conditional access and click Microsoft Entra Conditional Access
3. From the left pane, click Authentication contexts
4. Enter a name, description and click save
Task 2: Create a conditional access policy and associate it with the newly created Authentication Context
- Click Policies from the left pane and + New policy
- Give your policy a suitable name
- Target the users/groups
- Click target resources. From the drop down (Select what this policy applies to) click Authentication context.
- The authentication context I created earlier is visible for me to select.
- Don’t save changes just yet
Continue to step 2 below
2. Scroll down and click sessions
- Click Sign-in frequency
- Click Every time
- Click the select button
3. Switch the toggle to on and click create
Note: You may wish to leave the toggle on report only mode which will ensure the policy does not apply but will provide you with audit logs. Once convinced all is working as it should do, you can enforce the policy by turning it on. Ensure you test with a group of pilot users.
Task 3: Assign the conditional access policy to PIM
- Search for and access PIM (Microsoft Entra Privileged Identity Management)
2. In this example, I’ll be assigning the Authentication Context I created earlier to the User Administrator role. I have a demo user name Darren who has been assigned the User Administrator Role in PIM. Darren is able to elevate/request for the role and the role is automatically removed after a number of hours.
3. From the left pane, click roles. Search and click User Administrator
4. From the left pane, click Role settings
5. Click Edit to access the default settings.
6. Click the option Microsoft Entra Conditional Access authentication context. The authentication context I created earlier is visible, which is attached to the Conditional Access Policy which forces the admin to reauthenticate every time.
7. Click update
Task 4: Test the Reauthentication Policy
I’ll be logging in to Azure Portal with a demo user named Darren. I have already assigned Darren’s account to the User Administrator through PIM. Therefore, Darren is eligible to activate this role when needed. Darren is also included within the Conditional Access Policy scope.
- I login as Darren and go through MFA
Note: we’ll see the authentication context and policy trigger later
2. Whilst logged in as Darren, I search for PIM and click my roles from the left pane.
Click activate
3. Darren is presented with a message requesting for additional verification.
4. Click the message: A Conditional Access policy is enabled and may require additional verification. Click to continue
5. Darren is prompted to login again (reauthenticate)
6. and after reauthenticating, Darren can continue to active the role.
I hope you found this post useful
Thanks for reading and see you at the next one.
