I’m delighted to announce the general availability of Conditional Access for Protected Actions! This powerful feature empowers organizations to safeguard critical administrative operations with Conditional Access policies.
Protected actions refer to high-stakes operations that carry significant risk, such as altering conditional access policies, adding credentials to an application, or changing federation trust settings. These actions, if executed by a malicious actor, can severely compromise your organization's security posture.
I've asked Swetha Rai, a Senior Product Manager on the Identity team, to tell you more. Let us know what you think!
My name is Swetha, and I’m a product manager on the Identity team focused on Conditional Access (CA). Today, I’m excited to share more about the Conditional Access for protected actions feature that is now generally available.
With Conditional Access for protected actions, organizations can now add an extra layer of protection to these sensitive operations by defining granular policies that specify the conditions under which users can perform protected actions. For example, organizations can require administrators to complete phishing-resistant multi-factor authentication (MFA), use a compliant device, or be in a trusted location before modifying a conditional access policy. This way, even if an attacker gains access to an admin account, they won't be able to perform high-risk actions without meeting the additional security criteria. Here are some examples of policies for protected actions:
Admins require a privileged access workstation and a FIDO2 key to delete Conditional Access policies.
Admins need phishing-resistant MFA to define or modify custom rules that define network locations.
Figure 1 Protected Actions
We’re continuing to add support for more protected actions based on customer feedback. Today, you can protect the following areas:\
Conditional Access policy management
Custom rules that define network locations
Protected action management
Protected Actions on the roadmap:
Microsoft Entra Connect management
Cross-tenant access settings management
Credential and permission management on app and service principal registrations
We encourage you to explore this powerful feature and let us know what you think!