Protected Actions Authentication Contexts should have Conditional Access policies
Description
Protected Actions allow organizations to require step-up authentication for sensitive operations by assigning Authentication Contexts to those actions. However, if an Authentication Context is not referenced in any Conditional Access policy, the protected action is not effectively protected.
This test verifies that all Authentication Contexts used by Protected Actions are properly referenced in at least one Conditional Access policy.
When a Protected Action has an Authentication Context assigned but that context is not enforced by any Conditional Access policy:
- Users will not be prompted for additional authentication when performing the protected action
- The security benefit of the Protected Action is lost
- The tenant may be exposed to unauthorized sensitive operations
How to fix
If this test fails, you need to create or update Conditional Access policies to reference the Authentication Contexts used by your Protected Actions:
- Navigate to the Microsoft Entra admin center
- Go to Protection > Conditional Access > Policies
- Create a new policy or edit an existing one
- Under Target resources > Authentication context, select the Authentication Context(s) that need to be protected
- Configure the appropriate grant controls (e.g., require authentication context, require compliant device)
- Enable the policy and save
Alternatively, if the Protected Action no longer needs step-up authentication, you can remove the Authentication Context assignment from the Protected Action:
- Navigate to the Microsoft Entra admin center
- Go to Identity > Roles & admins > Protected actions (Preview)
- Select the Protected Action
- Remove or update the Authentication Context assignment
Learn more
- Protected actions in Microsoft Entra ID
- Conditional Access: Target resources
- Authentication context in Conditional Access