Microsoft Entra (Azure AD) Protected Actions
Microsoft Entra
17. Aug 2023 04:00

Microsoft Entra (Azure AD) Protected Actions

von HubSite 365 über John Savill's [MVP]

Principal Cloud Solutions Architect

AdministratorMicrosoft EntraM365 AdminLearning Selection

Adding additional requirements like MFA, compliant device when using specific critical/powerful actions in your tenant.

Microsoft Entra (Azure AD) Protected Actions allows for the adding of extra requirements such as MFA and compliant devices when carrying out specific critical or powerful functions within your tenant. Protected actions in Azure AD are permissions that come with Conditional Access policies attached. A user hoping to perform a protected action must first meet the requirements of the Conditional Access policies assigned to the necessary permissions.


For instance, to permit administrators to update Conditional Access policies, you might necessitate that they first meet the standards of the Phishing-resistant MFA policy. The use of protected actions arises when an additional security layer is desired. Protected actions can be assigned to permissions that require robust Conditional Access policy protection, irrespective of the role in play or how the user was attributed the permission.


Policy enforcement takes place at the very moment when a user tries to execute the protected action and not during user sign-in or rule activation. Consequently, users are sought only when needed. It is typically recommended to use multi-factor authentication on all accounts for the protected actions, especially on accounts with privileged roles. Here, protected actions can be used to demand heightened security. They may be used in conjunction with stronger Conditional Access policies like Passwordless MFA, Phishing-resistant MFA, and Privileged access workstations via Conditional Access policy device filters, amongst others.


  • 00:00 - Introduction
  • 00:42 - Protected actions with authentication contexts
  • 02:13 - Protections actions in the portal
  • 02:52 - The protected experience
  • 04:52 - Configuring protected actions
  • 09:49 - Viewing the sign-in log
  • 11:10 - Summary

Digging Deeper into Microsoft Entra (Azure AD) Protected Actions

Azure AD Protected Actions offer a solid security framework by requiring users to meet certain Conditional Access policies before executing protected actions. This feature enhances security by making sure only authorized and verified users get to perform sensitive actions. It also ensures that every user action adheres to the set security standards before getting approval.

These actions can be utilized to bring about a more secure operational environment especially for accounts with privileged roles. By using multi-factor authentication, the likelihood of unauthorized access is greatly minimized. Along with Passwordless MFA, Phishing-resistant MFA, and device-filter based Conditional Actions, this can form the basis for a very robust security policy in any firm.

Learn about Microsoft Entra (Azure AD) Protected Actions

Microsoft Entra (Azure AD) Protected Actions are additional requirements like MFA, compliant device when using specific critical/powerful actions in your tenant. It provides an extra layer of security by enforcing Conditional Access policies when a user attempts to perform a protected action. Common stronger Conditional Access policies used with protected actions are stronger MFA authentication strengths, such as Passwordless MFA or Phishing-resistant MFA, privileged access workstations, and shorter session timeouts. This article provides an overview of protected action and how to get started using them, including how to configure protected actions, view the sign-in log, and more.

More links on about Microsoft Entra (Azure AD) Protected Actions

What are protected actions in Azure AD? - Microsoft Entra
Protected actions in Azure Active Directory (Azure AD) are permissions that have been assigned Conditional Access policies. When a user attempts to perform ...
Protected Actions for Azure AD Conditional Access Policies
May 11, 2023 — To start, go to the Conditional Access section of the Microsoft Entra admin center and define an authentication context. The easiest way to ...
Microsoft Entra ID Conditional Access Gets Protected ...
7 days ago — Microsoft has announced that Conditional Access for protected actions support is now generally available for Entra ID (Azure AD) customers.
Strengthening Security with Protected Actions in Azure ...
Azure Active Directory (Azure AD) offers a powerful security feature called Protected Actions, which adds a additional layer of protection by assigning ...
What are protected actions in Azure AD? (preview)
New Public Preview: Azure AD – When a user attempts to perform a protected action, they must first satisfy the Conditional Access policies assigned to the…
How to Apply Conditional Access to Protected Actions in ...
Protected Actions is a new Conditional Access based security feature in Microsoft Entra that enables you to have more practical control over ...

Keywords

Microsoft Entra, Azure AD Protected Actions, MFA Compliant Devices, Conditional Access Policies, Phishing-resistant MFA, Passwordless MFA, Privileged Access Workstations, Sign-in Frequency Session Controls.