Samstag, 30. Oktober 2021

Azure AD Conditional Access | Authentication Context

The Authentication Context feature can be used to add additional and granular security to access apps or data in apps such as SharePoint or Exchange.

Example: Access to SharePoint sites or data in SharePoint is only permitted with devices managed in Intune. This is enforced via a conditional access policy. For special SharePoint sites containing highly sensitive data, access is also only permitted from the company network.

Until now, this was not possible because a conditional access policy always referred to the app as such, i.e. to SharePoint in the example above. With the Authentication Context in a Conditional Access Policy, this scenario is now possible.

Authentication Context

The feature is still in preview. The following limitations apply to the preview:

  • Deleting authentication context definitions is not possible in the preview.
  • The preview is limited to a total of 25 authentication context definitions.

An Authentication Context is created in the Conditional Access menu in the Azure Portal:


The Authentication Context is nothing more than a container:
The Authentication Context feature can then be selected in a Conditional Access Policy in the “Cloud Apps or Actions” menu item.
This adds another option to the already existing cloud apps and user actions.

Using an Authentication Context  

To implement the example from above, a Sensitivity Label is now used. The Authentication Context is configured in the Label:
The label is then assigned to the corresponding SharePoint site. If this SharePoint site is now accessed, the conditional access policy in which the authentication context is stored applies:
The whole process:
Example:
User Stan Laurel logs into Office 365 and goes to the SharePoint app:
Now he selects the SharePoint site "SPO Authentication Context DEMO" and then gets the message that access is not possible.
However, the reason here is not permissions, but that a conditional access policy, as described above, only allows access from the company network.