Azure AD – You can use conditional access for PIM (preview)

As you know with Azure AD (P1 or P2) you can protect access to your workloads using Conditional Access.

Well, you can now also use Conditional Access when used with PIM (Privileged Identity Management) (in preview), or more specifically when protected actions are being used.

The below protected actions are currently supported:

  • Update basic properties for conditional access policies (
  • Create conditional access policies (
  • Delete conditional access policies (
  • Update basic properties of custom rules that define network locations (
  • Create custom rules that define network locations (
  • Delete custom rules that define network locations (
  • Update Conditional Access authentication context of Microsoft 365 role-based access (

To start using it, connect to your Azure AD portal ( or Entra portal ( to create the Conditional Access rule

image  image

When creating the Conditional Access rule, use the Authentication context with the option Authentication Context for PIM enabled at the Cloud apps or actions step


Then access the Roles and administrators blade to configure the Protected actions

image  image

When configuring the protected actions rule you have to select the action(s) you want to protect and the corresponding Conditional Access rule you have created earlier


If you want to update the Conditional Access rule later you can click on the Conditional Access authentication context link


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.