Azure PIM Activation with additional MFA
Many customers, people in the industry, and the community asked me about applying for a second or additional MFA to the Azure PIM role when there is an existing MFA. We all know the importance of sensitive admins / crucial roles and the necessity to apply more security controls in order to create more friction.
The Azure PIM can be helpful when applying an additional layer for sensitive roles and admins. I’m sharing a specific method to achieve this requirement. The following method is one of many ways to use two strong authentications with Azure PIM.
Current Situation
Until now, Azure AD PIM can be configured to trigger MFA on activating a role only when the user has not already done MFA during the same session with the same account.
Suppose the user has already accomplished MFA during the initial sign-in to the Microsoft cloud (Azure Portal/Office 365, third-party apps, etc.). In that case, information is stored in the ESTSAuth cookies. When the user accesses the PIM service to activate the role, an access token is silently acquired using these cookies. The access token is then passed as the bearer token along with your call to “api.azrbac.mspim.azure.com” or, in general, to “*.mspim.azure.com” as highlighted below:
Once you decode the token, you will see that the value of “amr” contains the claim information about the authentication methods the user has already performed, which will also contain MFA.
That way, PIM identifies that the user has already done MFA and shouldn’t be prompted for MFA again. If the user has not done MFA in the first place, then the “amr” claim won’t include MFA, and the user would need to perform MFA to activate the role, provided you have configured the below setting for the privileged roles, such as Global Admin, as shown below:
Once you’ve got an MFA for the first authentication, you can apply additional activation as part of the Azure PIM requirements. In this situation, you’ve got the Azure MFA + Azure PIM (standard activation without additional MFA).
Now let’s get the second option when you can achieve the Azure MFA + Azure PIM (activation with additional MFA).
The Next thing of PIM Activation
When it comes to privileged users, you need to do everything to protect those users. The double strong authentications can do the work. For example, the first strong authentication will be FIDO, and the second strong authentication will be PasswordLess.
Again, double-strong authentication can minimize the risks, allow more friction, provide more visibility when there are anomalies, and much more.
You can require users to prove they are using Azure AD MFA before activating. MFA helps safeguard access to data and applications, providing another layer of security by using a second form of strong authentication.
Users may not be prompted for MFA if they authenticated with strong credentials or provided MFA earlier in this session. If your goal is to ensure that users have to provide additional strong authentication during activation. In that case, AD Conditional Access authentication context and Authentication Strengths require users to authenticate during activation using methods different from the ones they used to sign in to the machine.
For example, if users sign in, suppose users sign in to the machine using Windows Hello for Business. In that case, activation requires Azure AD Conditional Access authentication context” and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role.
If PIM settings have “On activation, require Azure AD Conditional Access authentication context” configured, Conditional Access policies define what conditions the user needs to meet in order to satisfy the access requirements again.
The session with double MFA or with additional Azure MFA into Azure PIM.
Once a user with Azure PIM requirements tries to activate a role, the user needs to provide additional verification. The verification can have many conditions as long as it’s part of the Access authentication context and Authentication Strengths.
The activation role is prompt for Conditional Access, as shown below:
The activation redirects to the Azure MFA again (the second time).
Once The second Azure MFA (from Azure PIM) is satisfied, the process continues to the second part of Azure PIM activation.
Now, the bearer token is kind of different, and the “amr” includes an additional field in the value – “rsa”. The Authorization Bearer differs when using an additional (or second) MFA and includes more values in the login flow.
Now, the flow requires the known Reason to activate the role.
In this scenario, the user requires two strong authentications with Azure PIM activation. The first will be Azure MFA for the standard login, and the second time will be MFA for Azure PIM activation.
You can require users who are eligible for a role to satisfy Conditional Access policy requirements. Use specific authentication methods enforced through Authentication Strengths, elevate the role from any supported method, for example, Intune compliant device, comply with Terms of Use, and more.
It recommends creating and enabling a Conditional Access policy for the authentication context before the authentication context is configured in PIM settings. As a backup protection mechanism, if there are no Conditional Access policies in the tenant that target authentication context configured in PIM settings, during group membership activation, Azure AD MFA is required as the On activation requires MFA setting would be set.
This protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created due to a configuration mistake. This backup protection mechanism will not be triggered if the Conditional Access policy is turned off, in report-only mode, or has eligible users are excluded from the policy.
The “On activation, requires Azure AD Conditional Access authentication context” setting defines the authentication context and requirements that users must satisfy when they activate group membership. After group membership is activated, users cannot use another browsing session, device, location, etc., to use group membership. To protect from this situation, you may scope Conditional Access policies enforcing certain requirements to eligible users directly.
Additional recommendations, best practices from the field, and thoughts are in the next post.
References
Configure PIM for Groups settings (preview) – Microsoft Entra | Microsoft Learn
Configure Azure AD role settings in PIM – Microsoft Entra | Microsoft Learn
