Conditional access authentication context is a feature that allows us to define granular policies for accessing resources based on the sensitivity of the data and the risk of the user. In this blog post, I will explain how we can use this feature to create a step-up process for applications and highly privileged roles.
A step-up process is a way of increasing the security level of a user's session when they need to access more sensitive data or perform more critical actions. For example, if a user wants to access an application that contains confidential information, they may be required to provide additional verification, such as a stronger authentication mechanism. This way, we can ensure that only authorized and verified users can access the data.
One of the benefits of using conditional access authentication context is that we can apply different policies for different applications and roles based on their sensitivity and risk level. For example, we can create a policy that requires users to provide multi-factor authentication using the authenticator app when they access an application that contains personal data, but only sms when they access an application that contains public data. We can also create a policy that requires users to provide additional verification when they perform actions that require highly privileged roles, such as global administrator or security administrator.
To use conditional access authentication context, we need to do two things: first, we need to create authentication context labels and assign them to applications and roles; second, we need to create conditional access policies and assign them to users and groups.
Authentication context labels are tags that we can use to classify applications and roles based on their sensitivity and risk level. We can create these labels in Azure Active Directory (Azure AD) and assign them to applications and roles using PowerShell or Graph API. For example, we can create a label called "Sensitive data context" and assign it to an application that contains sensitive data. We can also create a label called "Highly Privileged" and assign it to a role that requires high-level permissions.
Conditional access policies are rules that we can use to enforce additional security requirements for accessing resources based on the authentication context labels. We can create these policies in Azure AD and assign them to users and groups using the Azure portal or PowerShell. For example, we can create a policy that requires users to provide multi-factor authentication when they access resources with the label "Highly Confidential". We can also create a policy that requires users to provide biometric authentication when they perform actions with the label "Highly Privileged".
By using conditional access authentication context, we can create a step-up process for applications and highly privileged roles that enhances our security posture and protects our data from unauthorized access. To learn more about this feature and how to configure it, please visit