As you know with Azure AD (P1 or P2) you can protect access to your workloads using Conditional Access.
Well, you can now also use Conditional Access when used with PIM (Privileged Identity Management) (in preview), or more specifically when protected actions are being used.
The below protected actions are currently supported:
- Update basic properties for conditional access policies (microsoft.directory/conditionalAccessPolicies/basic/update)
- Create conditional access policies (microsoft.directory/conditionalAccessPolicies/create)
- Delete conditional access policies (microsoft.directory/conditionalAccessPolicies/delete)
- Update basic properties of custom rules that define network locations (microsoft.directory/namedLocations/basic/update)
- Create custom rules that define network locations (microsoft.directory/namedLocations/create)
- Delete custom rules that define network locations (microsoft.directory/namedLocations/delete)
- Update Conditional Access authentication context of Microsoft 365 role-based access (microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update)
To start using it, connect to your Azure AD portal (https://aad.portal.azure.com/) or Entra portal (https://entra.microsoft.com/) to create the Conditional Access rule
When creating the Conditional Access rule, use the Authentication context with the option Authentication Context for PIM enabled at the Cloud apps or actions step
Then access the Roles and administrators blade to configure the Protected actions
When configuring the protected actions rule you have to select the action(s) you want to protect and the corresponding Conditional Access rule you have created earlier
If you want to update the Conditional Access rule later you can click on the Conditional Access authentication context link