Once a user is authenticated through Entra ID, they remain signed in as long as the session is valid—even if they close and reopen the browser. However, in scenarios involving sensitive tasks or high-risk operations, it’s beneficial to require reauthentication. Forcing a fresh sign-in adds an extra layer of security by reducing the risk of session hijacking and token replay attacks. It also prevents attackers from maintaining persistence across services and devices, limiting their ability to move laterally within the environment.
A common example is when a user elevates their permissions to a higher-privileged role using Entra ID Privileged Identity Management (PIM). By leveraging Conditional Access reauthentication policies, we can require users to reauthenticate before gaining privileged access—adding an important layer of security. In this blog post, I’ll Walk through how to configure this policy step by step.
High-Level Configuration Tasks
The following steps outline the configuration process for enforcing reauthentication using Conditional Access and Privileged Identity Management (PIM):
- Create an Authentication Context in Conditional Access.
- Update Entra ID Privileged Identity Management (PIM) to associate the relevant role with the Authentication Context.
- Create a Conditional Access policy that enforces reauthentication based on the defined context.
Step 1: Create an Authentication Context
Authentication Context allows you to define a label that represents a specific authentication requirement (e.g., MFA, compliant device, reauthentication). This label can be referenced in PIM configurations and Conditional Access policies.
To create an Authentication Context:
- Sign in to the Microsoft Entra admin center.
- Navigate to Protection > Conditional Access > Authentication context.
- Click + New authentication context.
4.In the creation pane, provide a Name and Description for the context.
5. Click Save to create the context.
Step 2: Update PIM Configuration
In this setup, the Security Administrator role is already managed via Privileged Identity Management (PIM). For more information on configuring PIM roles, refer to the official documentation:
🔗 Configure Microsoft Entra PIM
The next step is to associate the previously created Authentication Context with the PIM role to enforce conditional access policies during role activation.
To update PIM with Authentication Context:
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity Governance > Privileged Identity Management, and select the role you want to modify (in this example, Security Administrator).
- Click on Settings.
4. In the Role settings pane, select Edit.
5. Under the On activation, require section, choose Microsoft Entra Conditional Access authentication context.
6. From the dropdown menu, select the Authentication Context you created earlier.
7. Click Update to save and apply the changes.
Step 3: Create a Conditional Access Policy to Enforce Reauthentication
The final step is to create a Conditional Access policy that forces reauthentication whenever a user activates a privileged role protected by the authentication context.
To create the Conditional Access policy:
- Sign in to the Microsoft Entra admin center.
- Navigate to Protection > Conditional Access.
- Click + Create new policy.
- In the policy creation pane:
o Provide a meaningful name for the policy.
o Under Users, select the users or groups this policy should apply to.
o Under Target resources, choose Authentication context, and then select the context you created earlier.
- Go to the Session section and configure Sign-in frequency to Every time. This setting ensures that users are prompted for reauthentication each time the context is invoked.
- Enable the policy by toggling On, then click Create to finalize it.
Testing the Configuration
With all the required configurations in place, the next step is to test the Conditional Access reauthentication policy in action.
I signed in to the Azure portal using a user account that is eligible for the Security Administrator role.
Navigating to PIM > My roles > Eligible assignments, I located the Security Administrator role and clicked Activate.
At this stage, a message appears on the activation page:
“A Conditional Access policy is enabled and may require additional verification. Click to continue.”
No further action can be taken on this screen until this prompt is addressed, so I clicked the link as instructed.
As expected, I was prompted to reauthenticate, in line with the policy we configured.
After successfully reauthenticating, I was redirected back to the role activation page, where I could now enter the required justification and additional details.
Clicking Activate completed the role activation process successfully.
✅ This confirms that the Conditional Access policy enforcing reauthentication is working as intended for PIM role activation.
This concludes the blog post. I hope it has provided you with a clear understanding of how to configure and enforce Conditional Access reauthentication for Privileged Identity Management roles using Authentication Context.