Microsoft Entra Protected Actions safeguard highly sensitive administrative operations in Microsoft Entra by requiring an additional layer of authentication. When a user attempts to perform such an action, they must first meet the defined policies. For example, specific actions can be restricted to devices that are either Microsoft Entra Joined or Microsoft Entra Hybrid Joined, or may require phishing-resistant multi-factor authentication prior to execution.
The following actions can be further secured using Microsoft Entra Protected Actions. A detailed description is available here: What are protected actions in Microsoft Entra ID? – Microsoft Entra ID | Microsoft Learn
- Conditional Access policy management
- Cross-tenant access settings management
- Hard deletion of some directory objects
- Custom rules that define network locations
- Protected action management
The implementation of Microsoft Entra Protected Actions provides the ability to enforce stricter policies only when an action is actually attempted. This means that additional authentication measures are only required when truly necessary.
This blog post explains step by step how to configure Microsoft Entra Protected Actions so that changes to Microsoft Entra Conditional Access policies are only possible under specific conditions. For example, it can be enforced that modifications may only be made from a registered device (Microsoft Entra Joined or Microsoft Entra Hybrid Joined) or that phishing-resistant multi-factor authentication is required.
Requirements and Licensing
Licences
To use Microsoft Entra Protected Actions, the following license is required:
- Microsoft Entra ID P1 or higher
An overview of the Microsoft licence packages and their features can be found at https://m365maps.com/.
Roles
The following roles are suitable for managing Microsoft Entra Protected Actions according to the principle of least privilege:
| Role | Description of the |
| Administrator for conditional access | Create, update and delete conditional access policies and manage protected actions. |
| Security administrator | Manage security policies and protocols, including the management of conditional access policies and protected actions. |
Create Protected Actions
The following steps configure Microsoft Entra Protected Actions to ensure that Microsoft Entra Conditional Access policies can only be created, updated, or deleted from devices that are registered in your own tenant as Microsoft Entra Joined or Microsoft Entra Hybrid Joined.
Authentication context
Authentication contexts in Microsoft Entra allow you to define different security levels for various actions. This means that highly sensitive areas require additional security checks, while less critical areas remain more easily accessible.
The following authentication context is required to ensure that device registration can be verified before any modifications to the Microsoft Entra Conditional Access policies are made.
Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Conditional access > Open Authentication contexts and select New authentication context.
- Enter Name of the authentication context, e.g. Protect CAP
- Enter Description, e.g. Conditional Access Policy Protection
- Enable Publish to apps
- Click Save
The authentication context has been successfully created.
Assign Protected Actions
The authentication context just created is now assigned to the protected actions.
Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Roles and admins > Open Protected actions and select Add protected actions.
- Select Authentication context, e.g. Protect CAP
- Add Permissions:
microsoft.directory/conditionalAccessPolicies/basic/update
microsoft.directory/conditionalAccessPolicies/create
microsoft.directory/conditionalAccessPolicies/delete - Click Save
The protected actions for Microsoft Entra Conditional Access is successfully configured.
Create Microsott Entra Conditional Access Policy
Microsoft Entra Conditional Access is used to ensure that protected actions can only be performed from registered devices, either Microsoft Entra Joined or Microsoft Entra Hybrid Joined.
Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Conditional Access > Create new policy
Assign a Name for the Microsoft Entra Conditional Access policy.
The naming conventions are described here: Conditional Access Framework and Policies – Azure Architecture Centre | Microsoft Learn
Select Users for this policy.
Exclude Emergency accounts.
In the Target resources, select the previously created Authentication context, such as Protect CAP.
The device registration is checked under Conditions.
1. Select Filter for devices
2. Set Configure to Yes
3. Select the Exclude filtered devices from policy option
4. Set TrustType to the desired values. If multiple registration types are allowed, it is essential to ensure that the logical operator is set to Or
– Microsoft Entra Joined
– Microsoft Entra Hybrid Joined
5. Click on Add expression
6. The filter condition is added
7. Save filter with Done
Under Grant, select the Block access option.
Enable the policy by setting it to On, then save it by selecting Create.
The policy was successfully created and now requires a registered device to create, update, or delete a Microsoft Entra Conditional Access policy.
Functionality check
With the newly configured Microsoft Entra Conditional Access policy, the creation, update, or deletion of Microsoft Entra Conditional Access policies is now only permitted from devices that are joined to Microsoft Entra as either Microsoft Entra Joined or Microsoft Entra Hybrid Joined.
When attempting to create, update, or delete a Microsoft Entra Conditional Access policy from a device that is not Microsoft Entra Joined or Microsoft Entra Hybrid Joined, a prompt for additional authentication is displayed.
When creating or deleting a Microsoft Entra Conditional Access policy:
The selected action is protected by an additional access requirement. Do you wish to continue?
When updating a Microsoft Entra Conditional Access policy:
Editing is protected by an additional access requirement. Click here to reauthenticate.
The additional authentication is performed from a device that is not Microsoft Entra Joined or Microsoft Entra Hybrid Joined and therefore fails with error code 53003, indicating that the action was attempted from an unregistered device and is consequently denied.
A comprehensive overview of the AADSTS error codes and their descriptions is available at: Microsoft Entra authentication and authorisation error codes – Microsoft identity platform | Microsoft Learn
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
