Microsoft Entra (Azure AD) Protected Actions allows for the adding of extra requirements such as MFA and compliant devices when carrying out specific critical or powerful functions within your tenant. Protected actions in Azure AD are permissions that come with Conditional Access policies attached. A user hoping to perform a protected action must first meet the requirements of the Conditional Access policies assigned to the necessary permissions.
For instance, to permit administrators to update Conditional Access policies, you might necessitate that they first meet the standards of the Phishing-resistant MFA policy. The use of protected actions arises when an additional security layer is desired. Protected actions can be assigned to permissions that require robust Conditional Access policy protection, irrespective of the role in play or how the user was attributed the permission.
Policy enforcement takes place at the very moment when a user tries to execute the protected action and not during user sign-in or rule activation. Consequently, users are sought only when needed. It is typically recommended to use multi-factor authentication on all accounts for the protected actions, especially on accounts with privileged roles. Here, protected actions can be used to demand heightened security. They may be used in conjunction with stronger Conditional Access policies like Passwordless MFA, Phishing-resistant MFA, and Privileged access workstations via Conditional Access policy device filters, amongst others.
Azure AD Protected Actions offer a solid security framework by requiring users to meet certain Conditional Access policies before executing protected actions. This feature enhances security by making sure only authorized and verified users get to perform sensitive actions. It also ensures that every user action adheres to the set security standards before getting approval.
These actions can be utilized to bring about a more secure operational environment especially for accounts with privileged roles. By using multi-factor authentication, the likelihood of unauthorized access is greatly minimized. Along with Passwordless MFA, Phishing-resistant MFA, and device-filter based Conditional Actions, this can form the basis for a very robust security policy in any firm.
Microsoft Entra (Azure AD) Protected Actions are additional requirements like MFA, compliant device when using specific critical/powerful actions in your tenant. It provides an extra layer of security by enforcing Conditional Access policies when a user attempts to perform a protected action. Common stronger Conditional Access policies used with protected actions are stronger MFA authentication strengths, such as Passwordless MFA or Phishing-resistant MFA, privileged access workstations, and shorter session timeouts. This article provides an overview of protected action and how to get started using them, including how to configure protected actions, view the sign-in log, and more.
Microsoft Entra, Azure AD Protected Actions, MFA Compliant Devices, Conditional Access Policies, Phishing-resistant MFA, Passwordless MFA, Privileged Access Workstations, Sign-in Frequency Session Controls.