Microsoft Entra ID Deep Dive — Conditional Access, MFA & PIM

“Welcome back. In an earlier episode we introduced Microsoft Entra ID — identities, users, groups, service principals. Now we go deep on the security controls that separate basic Entra ID usage from enterprise-grade identity security. Conditional Access policies are the policy engine of Zero Trust. PIM eliminates standing privileged access. B2B and B2C handle external identities. These features appear heavily in AZ-104 and are the identity skills every enterprise Azure administrator needs.”

“Conditional Access is Microsoft's implementation of Zero Trust's 'verify explicitly' principle. Every access request is evaluated against your policies in real time. The policy logic is: IF this user, accessing this application, from this location, on this device, with this risk score THEN grant / block / require MFA. Named Locations let you define trusted office IP ranges or allowed countries. Report-only mode is essential — before enabling any new policy, run it in report mode for a week to see which users would be affected, then enable it with confidence. A single misconfigured Conditional Access policy can lock everyone out, including admins, so test carefully.”

“MFA is the single highest-impact security control for accounts. Stolen passwords account for over 80% of breaches, but MFA blocks 99.9% of credential-based attacks. The Microsoft Authenticator app push notification is the most convenient method — users approve sign-ins with one tap. FIDO2 security keys like YubiKey are the strongest option, fully phishing-resistant. Avoid SMS for anything security-sensitive — SIM swapping attacks can intercept SMS codes. Number matching in Authenticator is a recent addition to defeat MFA fatigue attacks where attackers spam approval requests — now users must type the number shown on screen into their phone, preventing accidental approvals.”

“PIM solves a fundamental security problem: privileged accounts that are permanently assigned powerful roles are high-value targets. If an admin's Global Admin account is compromised, the attacker has permanent, unrestricted access. With PIM, nobody holds the Global Admin role permanently. When an admin needs to make a privileged change, they activate the role — provide a justification, complete MFA, wait for manager approval if required — and get the role for 1-8 hours. After that, access expires automatically. Every activation is logged with timestamp, justification, and duration. Auditors love this — it provides a complete record of who did what with privileged access and why.”

“Entra ID B2B lets you collaborate with external organizations without managing their credentials. You invite a partner's email address, they receive a link, they sign in with their existing Microsoft or Google account, and they're granted the specific access you've configured. From your tenant's perspective, they appear as a guest user with type 'Member' or 'Guest'. You control exactly what they can access — specific Azure resources, SharePoint sites, Teams channels, or applications. When the collaboration ends, you remove the guest account. Cross-tenant access settings give you fine-grained control over inbound B2B — you can trust MFA from specific partner tenants or require additional controls.”

“Entra ID B2C is for customer-facing applications — your users are consumers, not employees. B2C handles all identity management: sign-up, sign-in, profile management, password reset. Social login providers are built in — users can sign in with their Google, Apple, or Facebook account, or create a local account with email and password. User flows are pre-built UI templates for common scenarios that you configure without code. Custom policies use the Identity Experience Framework — XML-based, complex but completely flexible — for organizations that need non-standard authentication flows. B2C scales to hundreds of millions of users and handles all the complexity of identity across regions.”

“A few critical best practices. Every enterprise must have a break-glass account — a cloud-only Global Admin with a very strong password, not enrolled in MFA, not subject to PIM. This is your emergency access if a misconfigured Conditional Access policy locks everyone out. The password is stored in a physical safe. Monitor sign-ins to this account with an immediate alert — any use indicates either an emergency or a security incident. Block legacy authentication — old protocols like basic auth bypass Conditional Access entirely and are a major attack vector. Enable Identity Protection to automatically detect and respond to risky sign-ins — leaked credentials, impossible travel, unfamiliar locations.”

“Let me demo the most important Entra ID security controls. I'll create a Conditional Access policy requiring MFA for the Azure portal, test it in report-only mode, then enable it. Configure PIM for the Contributor role — set an activation duration, require justification and MFA. Log in as a user, activate the PIM role, provide justification. Then invite a guest user, assign them access to an Azure resource, and show their experience. Finally, view the PIM audit log showing all role activations.”

“Identity and access management is the highest-weighted domain in AZ-104 at 20-25%. Know Conditional Access policy components: assignments (who, what app, what conditions) and access controls (grant, session). PIM versus RBAC: PIM is for time-limited activation of existing eligible assignments, not a replacement for RBAC. B2B versus B2C: B2B is for known partners and contractors, B2C is for unknown consumer users. Break-glass accounts are a favourite scenario question — know why they exist and why they're excluded from MFA. Conditional Access report-only mode is tested — it evaluates policies without enforcing them.”