Authentication context: what, why and when?
What is authentication context?
Conditional Access authentication context is currently in public preview. It is a Zero Trust control plane that allows you to apply different access policies within all apps.
Organizations use data classification in Office 365 with sensitivity labels. These serve to label orprotect documents but can also be used to label an entire SharePoint site or Teams channel. There are several advantages by labelling an entire site, also referred to as a container in this context. Using a sensitivity label for a container, makes it is possible to control:
- external user access
- external sharing from SharePoint sites
- access from unmanaged devices
- authentication contexts
For the first 3 controls (external user access, external sharing from SharePoint sites and access from unmanaged devices), the label configuration and an app restriction on SharePoint define how they are used. This makes for a global configuration for all SharePoint sites. It is possible to configure this per site using a PS command, but this does not always cover all use cases.
Why use authentication context?
With the authentication context, a tag is created that can be used in a conditional access policy. This allows you to control access to this data in a more granular way. As mentioned earlier, authentication context is often used in combination with sensitivity labels. It can also be used for applications that are hosted in Azure. For the sake of clarity, however, in this blog the focus lies on using it to protect labelled sites.
When do we use it?
Let’s clarify with the example of an organization that has 2 SharePoint sites in use:
1. Site A, which is labelled with the Internal sensitivity label and contains information that can be shared by your partners.
2. Site B, which is labelled with the Secret sensitivity label and contains classified information. The label uses the authentication context tag.
So, for site A it makes sense to use a conditional access policy which defines how the access to the SharePoint is managed. In this case, that would allow authenticated users to have full access without MFA.
For site B, it is safer to configure a conditional access based on the authentication context tag and apply a dedicated policy which will only apply to SharePoint sites using that sensitivity label.
For example, we can use access grant controls to request additional MFA when connecting to this site and use the session controls to block downloads for this site. Because we are using a conditional access, it is possible to define other session controls such as MCAS session policy, sign-in frequency, or persistent browser session. Currently the “Use app enforced restriction” cannot be configured, but this can still change as this feature is still in preview.
Conditional access allows controlling access to these resources in a granular way. This means you can control your existing groups, managed vs unmanaged devices, locations and other controls that are available.
Would you like a demo or discuss if this feature is useful for in your organization? We’re always here for a chat. Reach out to us here.