Conditional Access authentication context now in public preview

Published 05-26-2021 11:00 AM 22.6K Views

Howdy folks,                                                                                                                                                                    

Today we are starting the Conditional Access authentication context public preview. Authentication context allows apps to trigger policy enforcement when a user accesses sensitive data or actions, keeping users more productive and your sensitive resources secure.

 

We have added this capability for more granular policy targeting because of your feedback – let us know what you think!

 

Caleb Baker, from our PM team, will walk you through the details below.

 

Thanks,

 

Alex Simons

 

 

------------------------------------------------------------------------

 

Getting started with Conditional Access authentication context

Hey there, I am Caleb from the Azure AD team.

 

We've heard from many of you that you want to trigger a Conditional Access policy when sensitive content in your apps is accessed. This includes requiring multi-factor authentication, a compliant device or even GPS-based location. Existing app-level Conditional Access policies don't support this level of resource granularity, so we've added support for authentication contexts.

 

Now that Conditional Access authentication context is in public preview it’s great to be able to go deeper into some of the details. I can’t wait to see how people use it and integrate authentication context into their own apps.

 

You can modify your line of business apps, or, thanks to integration with Microsoft Cloud App Security (MCAS), Microsoft Information Protection (MIP), and SharePoint Online, use it with all kinds of cloud apps right away!

 

Let’s get started!

When you use authentication context, first you will create a custom authentication context value. This is how apps will trigger Conditional Access policies when sensitive data or actions are accessed.

 

You can do this from the new Conditional Access authentication context tab, and clicking New authentication context.

 

AuthContext (Preview).png

 

You’ll then provide a display name and description for the new authentication context. We recommend using a name that captures the authentication requirements. For example, Controls trusted devices or Contoso strong auth.

 

Modify authentication context.png

 

After creating a new authentication context, you then attach it to Conditional Access policies. These are the policies that will be enforced when an application triggers the authentication context. You author these policies in the Conditional Access policy admin UX, the same as any other Conditional Access policy. The only difference is that instead of assigning policy to a cloud app you’ll assign it to an authentication context.

 

New.png 

 

Now that you’ve created an authentication context apps can make use of it. I’ll show an example with MCAS session policy, this will enforce policy when a user downloads a file from an app. MIP label management in the Office Security and Compliance Center has a similar experience for applying authentication context values.

 

Actions.png

 

Now when a user attempts to download a sensitive file from an app that is configured to use the MCAS session policy, they will need to satisfy the attached Conditional Access policy.

Here are some of the ways customers have been using authentication context with MCAS and SharePoint.

  • Requiring users to authenticate with multi-factor authentication (MFA) when they download sensitive files from any SaaS app on the web, like Office 365, Salesforce, Workday, and more.
  • Require terms of use for SharePoint site collections that have been classified as confidential. For several customers this allows them to move sensitive documents to secured sites in SharePoint online, and complete their migration from on-premises.

 

These documents will help you to learn more about configuring these policies.

 

Adding authentication context into your apps

Any app using OpenID Connect/OAuth 2.0 for authentication can also use authentication context values, including apps developed by your organization. This allows your apps to better protect sensitive resources, like high-value transactions or viewing employee personal data.

We’ve built this support on a standards-based pattern, commonly used by apps prompting for multi-factor authentication, to help simplify app integration. Of course, you can also use the Microsoft Authentication Library (MSAL) to further simplify app development.

 

Apps can trigger a specific authentication context value by using an OpenID Connect claim challenge, to request a specific authentication context claim value.

 

Context Value.png

 

Once the user has been challenged and satisfied policy, they will be issued a new sign-in token containing the required authentication context claim. The app can then use the presence of the claim to grant access.

 

Here are some additional resources to help with app development, using authentication context.

 

Next, we’ll be working toward GA and adding support for even more integrations, like Privileged Identity Management role activation!

 

As always, we’d love to hear from you. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Thanks,

 

Caleb Baker

 

 

Learn more about Microsoft identity:

 

9 Comments
Occasional Contributor

This is great.  We are currently working to implement Workday.  Workday already has a similar capability for users with elevated rights when using the Workday native sign-in.  Currently for our AAD auth for Workday we are applying session policies to those users based on group membership.  It would be great to see Microsoft and Workday provide this capability to provide the contextual conditional access controls without having to rely on elevated users being added to a specific group.

Regular Contributor

It would be cool to see this function to wrap some of the settings of O365 apps. For example, Auto-Forwarding settings in Outlook. Require MFA to to confirm the person is doing the change when they need to forward emails to another address.

 

Maybe this is possible and I just haven't read the documentation yet...

Senior Member

@Tim It isn't possible with the public preview, but think it's a great suggestion.

Senior Member

Could this be used to trigger MFA when our users access an application in another tenant as a B2B account?

Occasional Visitor

@caleb_b  - the announcement post at https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-f... says that authentication context can be used with PIM. Does the public preview include the PIM integration? Is there any documentation on how to use it?

Senior Member

@fuscob support in PIM is still coming, but some final work is being done before the PIM preview.

Senior Member

@apnet1205 , this policy would be used by the resource tenant. So a resource tenant admin could use it to require MFA for guests. Auth context won't help enforce MFA for your users accessing other tenants - however there is some feature work happening in Conditional Access to enable that case.

Senior Member

@caleb_b That's great thanks - any rough expectation on when that feature would appear?

Senior Member

Great feature! Any plans to also support SAML apps?

%3CLINGO-SUB%20id%3D%22lingo-sub-2391341%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391341%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great.%26nbsp%3B%20We%20are%20currently%20working%20to%20implement%20Workday.%26nbsp%3B%20Workday%20already%20has%20a%20similar%20capability%20for%20users%20with%20elevated%20rights%20when%20using%20the%20Workday%20native%20sign-in.%26nbsp%3B%20Currently%20for%20our%20AAD%20auth%20for%20Workday%20we%20are%20applying%20session%20policies%20to%20those%20users%20based%20on%20group%20membership.%26nbsp%3B%20It%20would%20be%20great%20to%20see%20Microsoft%20and%20Workday%20provide%20this%20capability%20to%20provide%20the%20contextual%20conditional%20access%20controls%20without%20having%20to%20rely%20on%20elevated%20users%20being%20added%20to%20a%20specific%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2391926%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391926%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20cool%20to%20see%20this%20function%20to%20wrap%20some%20of%20the%20settings%20of%20O365%20apps.%20For%20example%2C%20Auto-Forwarding%20settings%20in%20Outlook.%20Require%20MFA%20to%20to%20confirm%20the%20person%20is%20doing%20the%20change%20when%20they%20need%20to%20forward%20emails%20to%20another%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20this%20is%20possible%20and%20I%20just%20haven't%20read%20the%20documentation%20yet...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2394615%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2394615%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108363%22%20target%3D%22_blank%22%3E%40Tim%3C%2FA%3E%26nbsp%3BIt%20isn't%20possible%20with%20the%20public%20preview%2C%20but%20think%20it's%20a%20great%20suggestion.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2395927%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2395927%22%20slang%3D%22en-US%22%3E%3CP%3ECould%20this%20be%20used%20to%20trigger%20MFA%20when%20our%20users%20access%20an%20application%20in%20another%20tenant%20as%20a%20B2B%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2395973%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2395973%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353454%22%20target%3D%22_blank%22%3E%40caleb_b%3C%2FA%3E%26nbsp%3B%20-%20the%20announcement%20post%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fgranular-conditional-access-for-sensitive-data-and-actions%2Fba-p%2F1751775%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fgranular-conditional-access-for-sensitive-data-and-actions%2Fba-p%2F1751775%3C%2FA%3E%26nbsp%3Bsays%20that%20authentication%20context%20can%20be%20used%20with%20PIM.%20Does%20the%20public%20preview%20include%20the%20PIM%20integration%3F%20Is%20there%20any%20documentation%20on%20how%20to%20use%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1942484%22%20slang%3D%22en-US%22%3EConditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1942484%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%20we%20are%20starting%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fgranular-conditional-access-for-sensitive-data-and-actions%2Fba-p%2F1751775%22%20target%3D%22_blank%22%3EConditional%20Access%20authentication%20context%3C%2FA%3E%20public%20preview.%20Authentication%20context%20allows%20apps%20to%20trigger%20policy%20enforcement%20when%20a%20user%20accesses%20sensitive%20data%20or%20actions%2C%20keeping%20users%20more%20productive%20and%20your%20sensitive%20resources%20secure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20added%20this%20capability%20for%20more%20granular%20policy%20targeting%20because%20of%20your%20feedback%20%E2%80%93%20let%20us%20know%20what%20you%20think!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECaleb%20Baker%2C%20from%20our%20PM%20team%2C%20will%20walk%20you%20through%20the%20details%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E------------------------------------------------------------------------%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-1244222387%22%20id%3D%22toc-hId-613275945%22%3E%3CSTRONG%3EGetting%20started%20with%20Conditional%20Access%20authentication%20context%3C%2FSTRONG%3E%3C%2FH1%3E%0A%3CP%3EHey%20there%2C%20I%20am%20Caleb%20from%20the%20Azure%20AD%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe've%20heard%20from%20many%20of%20you%20that%20you%20want%20to%20trigger%20a%20Conditional%20Access%20policy%20when%20sensitive%20content%20in%20your%20apps%20is%20accessed.%20This%20includes%20requiring%20multi-factor%20authentication%2C%20a%20compliant%20device%20or%20even%20GPS-based%20location.%20Existing%20app-level%20Conditional%20Access%20policies%20don't%20support%20this%20level%20of%20resource%20granularity%2C%20so%20we've%20added%20support%20for%20authentication%20contexts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20that%20Conditional%20Access%20authentication%20context%20is%20in%20public%20preview%20it%E2%80%99s%20great%20to%20be%20able%20to%20go%20deeper%20into%20some%20of%20the%20details.%20I%20can%E2%80%99t%20wait%20to%20see%20how%20people%20use%20it%20and%20integrate%20authentication%20context%20into%20their%20own%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20modify%20your%20line%20of%20business%20apps%2C%20or%2C%20thanks%20to%20integration%20with%20Microsoft%20Cloud%20App%20Security%20(MCAS)%2C%20Microsoft%20Information%20Protection%20(MIP)%2C%20and%20SharePoint%20Online%2C%20use%20it%20with%20all%20kinds%20of%20cloud%20apps%20right%20away!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId-137832502%22%20id%3D%22toc-hId--493113940%22%3E%3CSTRONG%3ELet%E2%80%99s%20get%20started!%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EWhen%20you%20use%20authentication%20context%2C%20first%20you%20will%20create%20a%20custom%20authentication%20context%20value.%20This%20is%20how%20apps%20will%20trigger%20Conditional%20Access%20policies%20when%20sensitive%20data%20or%20actions%20are%20accessed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20do%20this%20from%20the%20new%20Conditional%20Access%20%3CSTRONG%3Eauthentication%20context%3C%2FSTRONG%3E%20tab%2C%20and%20clicking%20%3CSTRONG%3ENew%20authentication%20context%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AuthContext%20(Preview).png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283956i865958C3CC1F213E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AuthContext%20(Preview).png%22%20alt%3D%22AuthContext%20(Preview).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%E2%80%99ll%20then%20provide%20a%20display%20name%20and%20description%20for%20the%20new%20authentication%20context.%20We%20recommend%20using%20a%20name%20that%20captures%20the%20authentication%20requirements.%20For%20example%2C%20Controls%20trusted%20devices%20or%20Contoso%20strong%20auth.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Modify%20authentication%20context.png%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283957iF6EA52FB5C2902BF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Modify%20authentication%20context.png%22%20alt%3D%22Modify%20authentication%20context.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20creating%20a%20new%20authentication%20context%2C%20you%20then%20attach%20it%20to%20Conditional%20Access%20policies.%20These%20are%20the%20policies%20that%20will%20be%20enforced%20when%20an%20application%20triggers%20the%20authentication%20context.%20You%20author%20these%20policies%20in%20the%20Conditional%20Access%20policy%20admin%20UX%2C%20the%20same%20as%20any%20other%20Conditional%20Access%20policy.%20The%20only%20difference%20is%20that%20instead%20of%20assigning%20policy%20to%20a%20cloud%20app%20you%E2%80%99ll%20assign%20it%20to%20an%20authentication%20context.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22New.png%22%20style%3D%22width%3A%20595px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283958iD52ED29C8BD24841%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22New.png%22%20alt%3D%22New.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20that%20you%E2%80%99ve%20created%20an%20authentication%20context%20apps%20can%20make%20use%20of%20it.%20I%E2%80%99ll%20show%20an%20example%20with%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextmcas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMCAS%20session%20policy%3C%2FA%3E%2C%20this%20will%20enforce%20policy%20when%20a%20user%20downloads%20a%20file%20from%20an%20app.%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextmip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMIP%20label%20management%3C%2FA%3E%20in%20the%20Office%20Security%20and%20Compliance%20Center%20has%20a%20similar%20experience%20for%20applying%20authentication%20context%20values.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Actions.png%22%20style%3D%22width%3A%20590px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284653i3CC3759F7CCF3A11%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Actions.png%22%20alt%3D%22Actions.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20when%20a%20user%20attempts%20to%20download%20a%20sensitive%20file%20from%20an%20app%20that%20is%20configured%20to%20use%20the%20MCAS%20session%20policy%2C%20they%20will%20need%20to%20satisfy%20the%20attached%20Conditional%20Access%20policy.%3C%2FP%3E%0A%3CP%3EHere%20are%20some%20of%20the%20ways%20customers%20have%20been%20using%20authentication%20context%20with%20MCAS%20and%20SharePoint.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERequiring%20users%20to%20authenticate%20with%20%3CSTRONG%3Emulti-factor%20authentication%20(MFA)%20when%20they%20download%20sensitive%20files%3C%2FSTRONG%3E%20from%20any%20SaaS%20app%20on%20the%20web%2C%20like%20Office%20365%2C%20Salesforce%2C%20Workday%2C%20and%20more.%3C%2FLI%3E%0A%3CLI%3ERequire%20%3CSTRONG%3Eterms%20of%20use%20for%20SharePoint%20site%20collections%3C%2FSTRONG%3E%20that%20have%20been%20classified%20as%20%3CEM%3Econfidentia%3C%2FEM%3El.%20For%20several%20customers%20this%20allows%20them%20to%20move%20sensitive%20documents%20to%20secured%20sites%20in%20SharePoint%20online%2C%20and%20complete%20their%20migration%20from%20on-premises.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20documents%20will%20help%20you%20to%20learn%20more%20about%20configuring%20these%20policies.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-cloud-apps%23configure-authentication-contexts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfiguring%20Conditional%20Access%20authentication%20context%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextmip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Information%20Protection%20to%20protect%20sensitive%20SharePoint%20site%20collections%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextmcas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Cloud%20App%20Security%20session%20policy%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1924280757%22%20id%3D%22toc-hId-1293334315%22%3EAdding%20authentication%20context%20into%20your%20apps%3C%2FH1%3E%0A%3CP%3EAny%20app%20using%20OpenID%20Connect%2FOAuth%202.0%20for%20authentication%20can%20also%20use%20authentication%20context%20values%2C%20including%20apps%20developed%20by%20your%20organization.%20This%20allows%20your%20apps%20to%20better%20protect%20sensitive%20resources%2C%20like%20high-value%20transactions%20or%20viewing%20employee%20personal%20data.%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20built%20this%20support%20on%20a%20standards-based%20pattern%2C%20commonly%20used%20by%20apps%20prompting%20for%20multi-factor%20authentication%2C%20to%20help%20simplify%20app%20integration.%20Of%20course%2C%20you%20can%20also%20use%20the%20Microsoft%20Authentication%20Library%20(MSAL)%20to%20further%20simplify%20app%20development.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EApps%20can%20trigger%20a%20specific%20authentication%20context%20value%20by%20using%20an%20OpenID%20Connect%20claim%20challenge%2C%20to%20request%20a%20specific%20authentication%20context%20claim%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Context%20Value.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283960iEDEB9DDE95439335%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Context%20Value.png%22%20alt%3D%22Context%20Value.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20user%20has%20been%20challenged%20and%20satisfied%20policy%2C%20they%20will%20be%20issued%20a%20new%20sign-in%20token%20containing%20the%20required%20authentication%20context%20claim.%20The%20app%20can%20then%20use%20the%20presence%20of%20the%20claim%20to%20grant%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20some%20additional%20resources%20to%20help%20with%20app%20development%2C%20using%20authentication%20context.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextdevdocs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAuthentication%20context%20developer%20guidance%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fauthcontextcodesample%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAuthentication%20context%20developer%20sample%20app%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FauthcontextMSGraphAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAuthentication%20context%20MS%20Graph%20api%20documentation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%2C%20we%E2%80%99ll%20be%20working%20toward%20GA%20and%20adding%20support%20for%20even%20more%20integrations%2C%20like%20Privileged%20Identity%20Management%20role%20activation!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20from%20you.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3Fcategory_id%3D167259%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20AD%20feedback%20forum%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECaleb%20Baker%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH1%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId-116826294%22%20id%3D%22toc-hId--514120148%22%3E%26nbsp%3B%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1942484%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EA%20new%20approach%20to%20applying%20Conditional%20Access%2C%20so%20you%20can%20apply%20your%20strongest%20policies%20to%20your%20most%20sensitive%20resources.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PreviewImage.png%22%20style%3D%22width%3A%20381px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284652iAC09668B1DA35980%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PreviewImage.png%22%20alt%3D%22PreviewImage.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1942484%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2410596%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410596%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F863297%22%20target%3D%22_blank%22%3E%40fuscob%3C%2FA%3E%26nbsp%3Bsupport%20in%20PIM%20is%20still%20coming%2C%20but%20some%20final%20work%20is%20being%20done%20before%20the%20PIM%20preview.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2410639%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410639%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688053%22%20target%3D%22_blank%22%3E%40apnet1205%3C%2FA%3E%26nbsp%3B%2C%20this%20policy%20would%20be%20used%20by%20the%20resource%20tenant.%20So%20a%20resource%20tenant%20admin%20could%20use%20it%20to%20require%20MFA%20for%20guests.%20Auth%20context%20won't%20help%20enforce%20MFA%20for%20your%20users%20accessing%20other%20tenants%20-%20however%20there%20is%20some%20feature%20work%20happening%20in%20Conditional%20Access%20to%20enable%20that%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2411779%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353454%22%20target%3D%22_blank%22%3E%40caleb_b%3C%2FA%3E%26nbsp%3BThat's%20great%20thanks%20-%20any%20rough%20expectation%20on%20when%20that%20feature%20would%20appear%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2413847%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20authentication%20context%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2413847%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feature!%20Any%20plans%20to%20also%20support%20SAML%20apps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎May 28 2021 08:59 AM
Updated by: