As soon as a consumer is authenticated by way of Entra ID, they continue to be signed in so long as the session is legitimate—even when they shut and reopen the browser. Nonetheless, in situations involving delicate duties or high-risk operations, it’s useful to require reauthentication. Forcing a recent sign-in provides an additional layer of safety by lowering the danger of session hijacking and token replay assaults. It additionally prevents attackers from sustaining persistence throughout companies and units, limiting their skill to maneuver laterally throughout the surroundings.

A typical instance is when a consumer elevates their permissions to a higher-privileged position utilizing Entra ID Privileged Identification Administration (PIM). By leveraging Conditional Entry reauthentication insurance policies, we will require customers to reauthenticate earlier than gaining privileged entry—including an vital layer of safety. On this weblog put up, I’ll Stroll by way of the way to configure this coverage step-by-step.

Excessive-Degree Configuration Duties

The next steps define the configuration course of for imposing reauthentication utilizing Conditional Entry and Privileged Identification Administration (PIM):

1. Create an Authentication Context in Conditional Entry.
2. Replace Entra ID Privileged Identification Administration (PIM) to affiliate the related position with the Authentication Context.
3. Create a Conditional Entry coverage that enforces reauthentication based mostly on the outlined context.

Step 1: Create an Authentication Context

Authentication Context lets you outline a label that represents a particular authentication requirement (e.g., MFA, compliant gadget, reauthentication). This label may be referenced in PIM configurations and Conditional Entry insurance policies.

To create an Authentication Context:

1. Check in to the Microsoft Entra admin center.
2. Navigate to Safety > Conditional Entry > Authentication context.
3. Click on + New authentication context.

4.Within the creation pane, present a Title and Description for the context.

5. Click on Save to create the context.

Step 2: Replace PIM Configuration

On this setup, the Safety Administrator position is already managed through Privileged Identification Administration (PIM). For extra info on configuring PIM roles, seek advice from the official documentation:
🔗 Configure Microsoft Entra PIM

The following step is to affiliate the beforehand created Authentication Context with the PIM position to implement conditional entry insurance policies throughout position activation.

To replace PIM with Authentication Context:

1. Check in to the Microsoft Entra admin center.
2. Navigate to Identification Governance > Privileged Identification Administration, and choose the position you wish to modify (on this instance, Safety Administrator).
3. Click on on Settings.

4. Within the Position settings pane, choose Edit.

5. Beneath the On activation, require part, select Microsoft Entra Conditional Entry authentication context.

6. From the dropdown menu, choose the Authentication Context you created earlier.

7. Click on Replace to save lots of and apply the modifications.

Step 3: Create a Conditional Entry Coverage to Implement Reauthentication

The ultimate step is to create a Conditional Entry coverage that forces reauthentication at any time when a consumer prompts a privileged position protected by the authentication context.

To create the Conditional Entry coverage:

1. Check in to the Microsoft Entra admin center.
2. Navigate to Safety > Conditional Entry.
3. Click on + Create new coverage.

4. Within the coverage creation pane:

o   Present a significant title for the coverage.

o   Beneath Customers, choose the customers or teams this coverage ought to apply to.

o   Beneath Goal assets, select Authentication context, after which choose the context you created earlier.

5. Go to the Session part and configure Signal-in frequency to Each time. This setting ensures that customers are prompted for reauthentication every time the context is invoked.

6. Allow the coverage by toggling On, then click on Create to finalize it.

Testing the Configuration

With all of the required configurations in place, the following step is to check the Conditional Entry reauthentication coverage in motion.

I signed in to the Azure portal utilizing a consumer account that’s eligible for the Safety Administrator position.

Navigating to PIM > My roles > Eligible assignments, I positioned the Safety Administrator position and clicked Activate.

At this stage, a message seems on the activation web page:
«A Conditional Entry coverage is enabled and will require further verification. Click on to proceed.»
No additional motion may be taken on this display screen till this immediate is addressed, so I clicked the hyperlink as instructed.

As anticipated, I used to be prompted to reauthenticate, consistent with the coverage we configured.

After efficiently reauthenticating, I used to be redirected again to the position activation web page, the place I may now enter the required justification and extra particulars.

Clicking Activate accomplished the position activation course of efficiently.

✅ This confirms that the Conditional Entry coverage imposing reauthentication is working as supposed for PIM position activation.

This concludes the weblog put up. I hope it has offered you with a transparent understanding of the way to configure and implement Conditional Entry reauthentication for Privileged Identification Administration roles utilizing Authentication Context.