20 August 2025

Securing privileged identities in Entra ID and Conditional Access configuration

Privileged user accounts are gold dust for hackers. In any cyber-attack, escalating your privileges enables the attacker to access more sensitive information, stored in more heavily-secured locations. While the principle of least privilege has been around for ages, many organisations don’t apply it to their cloud environments. In this blog, we will explain exactly how you can secure and manage privileged identities within Microsoft Azure, to reduce your risk of a cyber-attack.

What are privileged identities?

In Microsoft Entra ID – formerly known as Azure Active Directory – privileged identities (or roles) are the accounts that have elevated permissions and have access to sensitive resources. These identities have more control than the normal user accounts making them valuable targets for attackers because they can perform actions that can significantly impact the security and integrity of an organisation's assets.

Some of the privileged identities in Entra ID are:

  • Global Administrator: They have full control over the Entra ID tenant and can perform any action. 
  • Privileged Role Administrator: They can manage role assignments, settings and review audit history for privileged roles 
  • Application Administrators: They can manage application registrations, permissions and configurations.

(A complete list of Entra ID roles can be found here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)

What could happen if a privileged identity is abused?

Depending on what the privileged identity can do, there are several potential scenarios. Some of the threats include:

  • Privilege escalation to gain unrestricted access to resources, data and systems  
  • Data exfiltration leading to data breaches and potentially financial losses if financial resources are involved  
  • Configuration changes can weaken security and increase the risk of system compromise  
  • Bypassing security controls such as multi-factor authentication and conditional access policies

Privileged identities pose a higher security risk and it is important to protect them by implementing robust security controls. I would like to talk about two such features in this blog:

  1. Privileged Identity Management (PIM) 
  1. Conditional Access

Privileged Identity Management (PIM)

Privileged Identity Management is a service in Microsoft Entra ID that helps you manage, control and monitor access to important resources in your organisation. This can be used to limit access to sensitive information and resources. If a user still needs to carry out a privileged operation, you can provide users with Just-In-Time (JIT) privileged access using Entra ID and monitor the user's activity.

Benefits of using PIM:

  • PIM enables JIT access, which grants privileged access only when needed. 
  • Ensure users have only the necessary privileges to perform their tasks following the principle of least privilege 
  • Require approval to active privileged roles and justification for doing so while getting notifications 
  • Enforce multifactor authentication to activate any role 
  • Conduct access reviews to ensure users still need roles and downloading audit history  
  • Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

To implement a defence in-depth approach to securing identity management, the following security controls should be implemented throughout the Tenant by an organisation:

  • Create separate dedicated cloud identity, “.onmicrosoft.com” accounts for all privileged users which are not synced with on premise Domain Controllers 
  • Create two “break glass” emergency access accounts 
  • Enforce MFA for all privileged accounts 
  • Where licensing permits, secure the login process with conditional access policies 
  • Restrict access to the highly privileged Global Administrator role to between 2 to 4 separate users 
  • Apply the principle of least privilege for role assignments using non-Global Administrator roles 
  • Do not assigned external users privileged roles within Azure AD 
  • Make use of Privileged Identity Management (PIM) and Just-in-time (JIT) authentication where possible 
  • Make use of Azure AD Identity Protection where possible 
  • Use secure Privileged Access Workstations (PAW) if possible 
  • Delegated Administrator Privileges (DAP) should be using the Granular Delegated Admin Privileges (GDAP) model which supports least-privileged access.

What is required to avail this service?

Previously, it was provided with Microsoft Entra ID P2, but this is no longer the case. PIM is now provided under the Microsoft Entra ID Governance license.

Consult Microsoft for more info on their licensing structure: https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals

Conditional Access

Conditional Access is another security feature that allows an organisation to control access to its resources based on specific conditions, such as “if-then” conditions. If a user needs access to a particular resource, then they need to complete a specific action. These conditions include:

  • User identity: Who is trying to access the resource? 
  • Device: What device is being used to access the resource? 
  • Location: Where is the user trying to access the resource from? 
  • Application: What application is being used to access the resource? 
  • Risk level: What is the risk level of the user or device?

Based on these conditions, policies can be created that:

  • Grant access: Allow access to the resource if the conditions are met 
  • Block access: Deny access to the resource if the conditions are not met 
  • Require additional authentication: Require additional authentication methods, such as multi-factor authentication (MFA), if the conditions are met

The following use cases should be considered while configuring conditional access:

  • Requiring multi-factor authentication for users with administrative roles 
  • Requiring multi-factor authentication for all users 
  • Requiring multi-factor authentication for Azure management tasks 
  • Blocking sign-ins for users attempting to use legacy authentication protocols 
  • Requiring trusted locations for Azure AD Multi-Factor Authentication registration 
  • Blocking access from geographic locations that are deemed out-of-scope for your organisation or application 
  • Define Trusted Locations from which access can be limited to 
  • Blocking risky sign-in behaviours 
  • Requiring organisation-managed devices for specific applications 
  • Create a policy that specifies Sign-in frequency set to the time determined by your organisation and that Persistent browser session is set to Never persistent 
  • Create a policy to block access to the Microsoft Azure Management Cloud Apps for non-administrative users

What is required to avail this service?

A Microsoft Entra ID P1 license is required. Risk-based policies require Microsoft Entra ID P2 licenses.

Conclusion

Securing privileged identities is a critical aspect of protecting an organisation's sensitive resources and data. By implementing Privileged Identity Management (PIM) and Conditional Access configurations, they can significantly reduce the risk of privilege abuse and unauthorised access.

By following the best practices outlined in this article, you can create a robust security framework that ensures only authorised users and devices can access an organisation's resources.

Speak to one of our cybersecurity experts for more information about how you can secure your cloud environment. 

Related articles