Conditional Access for Protected Actions is Now Generally Available!
Published Aug 08 2023 09:00 AM 17.3K Views



I’m delighted to announce the general availability of Conditional Access for Protected Actions! This powerful feature empowers organizations to safeguard critical administrative operations with Conditional Access policies.


Protected actions refer to high-stakes operations that carry significant risk, such as altering conditional access policies, adding credentials to an application, or changing federation trust settings. These actions, if executed by a malicious actor, can severely compromise your organization's security posture.


I've asked Swetha Rai, a Senior Product Manager on the Identity team, to tell you more. Let us know what you think!


Nitika Gupta 

Group Product Manager, Identity Security






My name is Swetha, and I’m a product manager on the Identity team focused on Conditional Access (CA). Today, I’m excited to share more about the Conditional Access for protected actions feature that is now generally available.


With Conditional Access for protected actions, organizations can now add an extra layer of protection to these sensitive operations by defining granular policies that specify the conditions under which users can perform protected actions. For example, organizations can require administrators to complete phishing-resistant multi-factor authentication (MFA), use a compliant device, or be in a trusted location before modifying a conditional access policy. This way, even if an attacker gains access to an admin account, they won't be able to perform high-risk actions without meeting the additional security criteria. Here are some examples of policies for protected actions: 


  • ​Admins require a privileged access workstation and a FIDO2 key to delete Conditional Access policies.
  • Admins need phishing-resistant MFA to define or modify custom rules that define network locations.

Figure 1 Protected ActionsFigure 1 Protected Actions



We’re continuing to add support for more protected actions based on customer feedback. Today, you can protect the following areas:\


  • Conditional Access policy management
  • Custom rules that define network locations
  • Protected action management 


Protected Actions on the roadmap:


  • Microsoft Entra Connect management
  • Cross-tenant access settings management
  • Credential and permission management on app and service principal registrations  


We encourage you to explore this powerful feature and let us know what you think!  



Learn more about Microsoft Entra: 

Version history
Last update:
‎Aug 09 2023 09:36 AM
Updated by: