Microsoft Previews Conditional Access Policy To Compel Reauthentications

Microsoft this week announced a new policy for compelling reauthentications for organizations using the Microsoft Entra Conditional Access service.

The new policy, called "sign-in frequency -- every time," is currently at the public preview release stage. Turning on this policy will require "interactive reauthentication for any application or authentication context protected by Conditional Access," the announcement explained.

The new policy is the antithesis of single sign-on, where users don't have to authenticate again and again with each application they use. However, organizations may use single sign-on, but still want a reauthentication prompt to appear under certain conditions. For instance, organizations can set up "risk-based reauthentication policies" for suspect sign-in behaviors to lower the risk of token theft by attackers.

Microsoft listed a few other scenarios where organizations may want to initiate reauthentications, namely:

  • Accessing high-risk resources, such as connecting to a VPN.
  • Activating a privileged role in Privileged Identity Management (PIM).
  • Performing an action within an application, such as changing personal information in an HR application.
  • Critical actions such as Intune enrollment or updating credentials.
  • Risky sign-ins, as called out above, help reduce and mitigate the risk of token theft.

The new policy shouldn't be used with all applications because it may induce "MFA [multifactor authentication] fatigue," which just helps phishing attempts, Microsoft argued, in this document. It's best used in cases "when a client should get a new token."

In other Microsoft Entra ID news this month, Microsoft introduced a public preview of a new license "Utilization and Insights" portal for Entra ID Premium subscribers. The portal shows how many P1 and P2 licenses an organization has, along with their features. The preview, in particular, shows the "Conditional Access and risk-based Conditional Access" features that are available, although Microsoft plans to expand its tracking to "other SKUs and corresponding features at general availability."

Also this month, Microsoft advised organizations to keep track of deleted objects using the Microsoft Entra Admin Center portal or via audit log queries or the Microsoft Graph API using PowerShell. The announcement explained that tracking deletions in Microsoft Entra ID can help identify and recover "any objects that were accidentally or maliciously deleted." It also helps with compliance monitoring, including the removal of "any unnecessary or obsolete objects."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube