Conditional Access vs Identity: Who Actually Decides?

From Gatekeeper to Watcher: How to Fuse Conditional Access with Defender for Identity for Real Identity Resilience

The Core Idea (TL;DR)

• Conditional Access (CA) is your bouncer. Great at pre-auth decisions.

• Defender for Identity (DfI) is your CCTV+floor security. Great at post-auth behavior.

• Real resilience happens when post-auth risk raises pre-auth friction automatically—in-session.

Mental Model

• Gatekeeper (CA): Who, where, device posture, risk-at-sign-in, session controls.

• Watcher (DfI + M365 Defender): Lateral movement, abnormal resource access, Kerberoasting/NTLM abuse, privilege hunting.

• Feedback loop: Watcher flags behavior → raises user risk / session risk → Gatekeeper tightens controls (MFA/step-up, block, restrict session).

Integration Blueprint (what to enable, in order)

1. Risk-aware CA (baseline)

   • Entra ID Protection: turn on User risk & Sign-in risk evaluation.

   • Create CA policies:

     • Block when User risk = High (or Require password change if your helpdesk can support it).

     • Require MFA when Sign-in risk ≥ Medium.

     • Require compliant device for medium+ sensitivity apps; use device filters for unmanaged devices to route to session controls.

2. Let the watcher talk to the gatekeeper

   • Ensure DfI is streaming alerts into Microsoft 365 Defender and Sentinel (if used).

   • Automate “Confirm compromised” on users for certain DfI alerts (below). This sets User risk = High in Entra ID Protection → CA reacts.

     • Automation path: M365 Defender Incident → Logic App/Power Automate → Graph Security/Identity Protection API (/riskDetections, /riskyUsers:confirmCompromised) → optional Force sign-out.

   • Turn on Continuous Access Evaluation (CAE) on apps you can (Exchange/SharePoint/Graph) so policy changes cut live tokens.

3. Session control for containment

   • For unmanaged/risky sessions, use Defender for Cloud Apps (session proxy) from CA:

     • CA → Use Conditional Access App Control (monitor first, then block exfil: download, cut/copy, paste, print, sync).

   • Pair with MDE device risk → Intune compliance → CA “Require compliant device” for sensitive apps.

4. Privileged identity guardrails

   • PIM enforce Just-in-Time; require MFA + compliant device + no risky user for elevation.

   • CA policy “Block privileged roles if user risk ≥ Low” (yes, Low) to force triage before elevation.

“If This, Then That”: Map DfI Signals to CA Actions

Start in audit/monitor for 1–2 weeks, then flip responses to enforce per alert class.

Sample Policies (practical, minimal)

1. Block when user risk = High

• Assign: All users (exclude break-glass), All cloud apps

• Conditions: User risk = High

• Grant: Block access

2. Step-up on sign-in risk

• Assign: All users, High-value apps (Admin portals, Exchange, SharePoint, Entra)

• Conditions: Sign-in risk ≥ Medium

• Grant: Require MFA + Require compliant device (or Managed device)

3. Session contain unmanaged

• Assign: All users, SharePoint/OneDrive/Teams

• Device state: Hybrid/Compliant = bypass; Unmanaged = enforce

• Session: Use Conditional Access App Control (Block downloads)

4. Privileged elevation guard

• Assign: Directory roles = Privileged roles

• Conditions: User risk ≥ Low OR Sign-in risk ≥ Medium

• Grant: Require MFA + Require compliant device; Block if risk ≥ High

Automation Playbooks (ready-to-wire)

Playbook A: DfI high-severity alert → Contain identity

• Trigger: M365 Defender incident with tag IdentityThreatHigh

• Actions:

  1. Graph – confirm user compromised (set User risk High)

  2. Entra – revoke refresh tokens

  3. Intune/MDE – device isolate (if single primary device)

  4. ServiceNow/JSM – create ticket with timeline + artifacts

  5. Notify SOC + owner via Teams adaptive card (one-click rollback if FP)

Playbook B: Anomalous SharePoint access burst

• Trigger: Defender alert “Unusual file download”

• Actions:

  1. Tag user UnderInvestigation (AAD extension attribute)

  2. Flip user to CA policy that routes to App Control (no download/print)

  3. Launch eDiscovery hold on affected sites (optional)

  4. Auto-expire containment in 72h unless SOC extends

Hunting & Useful Queries

M365 Defender (Advanced Hunting)

Sign-in risk spikes tied to later DfI alerts

Metrics That Prove It Works

• Mean Time To Contain (MTTC) identity (alert → CA enforcement) ↓

• Attacker dwell time (first suspicious action → remediation) ↓

• Blocked risky sessions (policy-fired events) ↑ while false-positive rate ↓

• Risky users backlog age (open > 24h) ↓

• Token revocation latency (sec) ↓

• Privileged elevation failures due to risk (caught early) ↑ then normalize

• Secure Score (Identity/Device/Apps) ↑ with no helpdesk ticket spike

30/60/90 Rollout

Days 0–30 (Foundations)

• Enable Entra User/Sign-in risk & CA baseline policies (audit → enforce).

• Onboard DfI to M365 Defender; validate alerts & entities.

• Turn on CAE for supported apps; integrate MDE risk → Intune compliance.

Days 31–60 (Feedback & Containment)

• Build Playbooks A & B (above) in Logic Apps; start in dry-run.

• Pilot App Control for unmanaged sessions with 2–3 teams.

• Add PIM elevation guardrail policy.

Days 61–90 (Enforce & Measure)

• Flip playbooks to enforce for high-confidence alerts.

• Stand up an identity security workbook (Sentinel/Power BI) with the metrics list.

• Quarterly purple-team drill: validate MTTC, token revoke, and CA flips in live fire.

Common Pitfalls (and safer defaults)

• Pitfall: Only using CA’s sign-in risk → Fix: Also react to user risk and DfI alerts.

• Pitfall: No CAE → stale tokens keep risky sessions alive → Fix: Enable CAE, build revoke tokens into playbooks.

• Pitfall: Blocking downloads broadly → user revolt → Fix: Use App Control only on unmanaged or risky.

• Pitfall: FP storms from aggressive auto-”compromised” → Fix: Gate with multi-signal (DfI high + unusual download + off-hours).

• Pitfall: Break-glass accounts locked by risk → Fix: Exclude two monitored break-glass accounts; rotate quarterly.

Copy/Paste Artifacts

CAB one-liner for execs

We’ve connected post-login behavior to access decisions. If an account acts unusually, we add friction or block in-session. That shrinks attacker dwell time without slowing normal work.

Change note for admins

• New CA policies may prompt step-up MFA or block when risk rises. Tokens can be revoked mid-session. Break-glass accounts excluded. Monitor Identity Resilience workbook for impact.

Owner-friendly Teams card (auto)

• “We noticed unusual file activity on your account. We applied temporary protections (no download on unmanaged). If this was you, click Acknowledge; otherwise click Report.”