Conditional Access & Zero TrustAuthentication Context & Protected Actions

Authentication Context & Protected Actions

25 mins

Understanding the Concept

Authentication context allows Conditional Access policies to be triggered by specific actions within an application, not just at sign-in. For example, accessing a confidential SharePoint site or performing a sensitive operation in a custom app can require step-up authentication even if the user is already signed in.

Protected actions extend this concept to Microsoft Entra administrative operations. Specific admin actions (like modifying Conditional Access policies or deleting users) can be protected by requiring additional authentication, even for already-authenticated administrators.

Conditional Access templates provide pre-built policy configurations for common scenarios such as requiring MFA for admins, blocking legacy authentication, or requiring compliant devices. These templates accelerate deployment and ensure best practices are followed.

Key Points

  • Authentication context: Tag apps/resources with context IDs (c1-c25)
  • Step-up authentication: Require stronger auth for sensitive operations mid-session
  • Protected actions: Shield admin operations with additional verification
  • CA templates: Pre-built policies for common security scenarios
  • SharePoint/Teams integration: Apply context to specific sites or channels

Authentication Context Flow

Step 1

Define Context

Create authentication context IDs in Entra admin center

Step 2

Create CA Policy

Build CA policy targeting the authentication context

Step 3

Tag Resources

Apply context ID to SharePoint sites, apps, or admin actions

Step 4

User Access

When user hits tagged resource, step-up auth is required

Why This Matters in Real Organizations

Not all resources within an application need the same level of protection. Authentication context enables granular security within applications - a user can browse general documents with basic auth but must provide phishing-resistant MFA to access confidential files.

Common Mistakes to Avoid

Creating authentication contexts without linking them to CA policies
Not understanding that protected actions only apply to specific admin operations
Deploying CA templates without reviewing and customizing for your environment
Overusing authentication contexts, leading to excessive step-up prompts

Interview Tips

  • Explain authentication context with a real scenario like classified documents
  • Discuss protected actions for securing admin operations
  • Mention CA templates as a best practice for initial deployment

Exam Tips (SC-300)

  • Know how authentication context integrates with SharePoint sensitivity labels
  • Understand which admin actions can be protected
  • Know the available CA template categories

Course Complete!

You've finished all lessons

Previous|Next|HHome