Video wird geladen...
Video konnte nicht geladen werden
I kept meaning to write an article for this, decided to record a quick video instead 🎥 TL;DW - Create an auth context, target the auth context in a CA policy (SIF Every time, other conditions), select auth context in PIM role settings Thanks Stephan G for the reminder :)
15,843 Aufrufe • vor 1 Jahr •via X (Twitter)
8 Kommentare

Thanks again for that great input on how to make security better.

Thank you! So glad I can help 😊

@StephanG_AIM Why build a policy only for the auth context? Is there a difference in building a CA policy that targets the app(s) and includes phish-resistant auth with session controls?

@StephanG_AIM This is a great question! :) Auth contexts are amazing and allow us to do things that resource based policies can't For PIM, we are using Sign-in Frequency - Every time to force a fresh authentication on role activation to prevent an attacker with a stolen token from activating

@StephanG_AIM Would be interesting to also see the sign-in behavior once the above policy is set, because for me; if I set 'sign-in frequency' along with auth context / auth strength, I get stuck in a constant sign-in loop using passkeys in the MS auth app.

@StephanG_AIM We deploy like this often and it works great, but you do need to have registered the method already. If you don't, I believe it attempts to send you to register and gets stuck.

@StephanG_AIM What is the recommendations for high privilege admins GA, Intune, Sharepoints?

@StephanG_AIM I usually recommend a few CA policies for activating privileged admins (using auth context): 1) Block all users except filter for devices listing explicit deviceIds of admin devices 2) Require phishing resistant auth, SIF - Every time 3) Block outside network location/GSA

