Introduction
Microsoft Entra Authentication Contexts offer a powerful solution to strengthen the security of sensitive actions and critical resources. These Contexts enable increased granularity in applying conditional access policies, perfectly suited to scenarios where protection must be strict and targeted.
Good to know
Authentication Contexts are available with a license that includes conditional access, such as Microsoft Entra ID P1.
What is an Authentication Context?
An Authentication Context is a tag used in Entra to apply conditional access policies to specific actions or resources. This includes:
- Protected actions
- Privileged identity management (PIM) roles
- Sensitivity labels
Each organization can create up to 99 distinct contexts (c1-c99). These contexts can be reused for various applications or access points, and targeted by multiple conditional access policies simultaneously.
Tip
A context can be configured to require specific authentication methods, such as phishing-resistant solutions.
Why Use Authentication Contexts?
Most conditional access solutions offer standard protection. However, for highly sensitive environments or critical roles, enhanced security is essential. Here's why:
- Prevention against attacks: Even with successful authentication, additional controls reduce risks associated with stolen token attacks.
- Minimization of human error: Targeted policies limit actions that could result in unintended consequences.
- Advanced compliance: Allows you to meet strict regulatory or contractual requirements.
Managing Authentication Contexts in Entra
Creating an Authentication Context
Access the portal
Log in to the Microsoft Entra portal and navigate to the Conditional Access tab.
Create a context
Click New authentication context, name it and add a description if necessary. Select the context ID and publish it to applications.
Use in a policy
Associate this context with conditional access policies or target it to specific actions.
Deleting an Authentication Context
Deleting a context also removes it from related policies. Make sure to unpublish or archive policies before proceeding.
Using Authentication Contexts in Different Scenarios
Protected Actions
Protected actions are critical tasks requiring additional controls:
- Administrator access
- Creation of conditional access policies
Configure protected actions
Go to Roles and administrators → Protected actions, then add the actions to protect.
Associate a context
Select the authentication context to apply to these actions.
Sensitivity Labels
Sensitivity labels allow you to classify and protect critical data by combining Contexts and rigorous strategies.
Warning
Labels are not supported by all applications. Check compatibility in the official documentation.
Example configuration via PowerShell:
1Set-SPOSite -identity https://<yourcompany>.sharepoint.com/sites/<siteName> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName "Displayed Context"Microsoft Defender for Cloud Apps
Entra offers the ability to enforce real-time enhanced authentication for web sessions via Defender for Cloud Apps. This is particularly useful for downloading sensitive files.
Tip
Configure policies in Defender to require phishing-resistant credentials before critical operations.
Glossary
- PIM: Privileged identity management enabling "Just-in-Time" role activation.
- MFA: Multi-factor authentication used to strengthen login security.
- MDCA: Microsoft Defender for Cloud Apps supervising application sessions.
