Create WordPress on Azure App Service

Posted on by Imran Rashid
Reading Time: 7 minutes


In this post I will explore creating a WordPress website on Azure App Services. Microsoft have made the deployment of WordPress on Azure App Services easier and have lowered prices compared to previously.

The default Operating System (OS) for the WordPress installation will be Linux. When it comes to WordPress hosting, Linux is the preferred OS by developers so Microsoft have set the default OS to Linux. The Operating System can be set to Windows if needed. Furthermore, Microsoft will support this service in the event you require support.

What is WordPress?
WordPress started in 2003 by two individuals named Mike Little and Matt Mullenweg. Today, WordPress is built on PHP and MySQL, and licensed under the GPLv2. It is also the platform of choice for over 43% of all sites across the web. This blog you’re accessing right now, cloudbuild.co.uk, runs on WordPress.

The WordPress open source project has since evolved and has become one of the most popular solutions to allow people to deploy websites. People with a limited tech experience can use it out of the box, and more tech-savvy folks can customise it in remarkable ways. WordPress is designed for everyone.

WordPress is a versatile and popular content management system that’s used to create websites of all sizes, for multiple purposes. From small personal blogs to large-scale corporate sites and e-commerce stores, WordPress offers a range of functionalities and customisations to suit different needs. Because of its overwhelming popularity, WordPress is a target for hackers. Websites that run on the platform can be vulnerable to security threats such as malware and phishing attacks. Click on the following link for tips on how to secure your WordPress site, WordPress on Azure – Security.

WordPress on Azure
The purpose of this post is to deploy a WordPress site on Azure App Services. Let’s get started.

  1. Login to portal.azure.com

  2. Search and click WordPress on app service


2. Select a subscription and use an existing or a new Resource group.


3. Specify a region and give your WordPress site a new name.
Depending on the plan you select in step 4 below, you’ll be able to add a custom domain later if needed.


4. Select a Hosting plan, I’ll be selecting the basic for hobby or research purposes.


5. Select your Site language and add an admin email address

Note: The admin email address is important. This is where you’ll receive update notifications and the recovery email address in the event you need to reset your password.


6. Next, select a login name for your WordPress Site.


Note: avoid using the username admin, it’s a common default username used for WordPress sites worldwide, and what hackers use when attempting to brute force attack your website with the aim of accessing your WordPress backend.

7. Click Next: Addons


8. I have unchecked options, Azure Email Service as this is a demo site and won’t be used to send bulk marketing emails. I won’t be using a CDN (Content Delivery Networking) for caching and performance. Finally, I won’t require a Azure Front Door Load Balancer.

Benefits of Azure CDN (Content Delivery Network)

Microsoft highly recommend that you opt for CDN while creating your WordPress on Azure App Service instance. Why?

  1. Higher Performance: Azure CDN helps in achieving higher performance by delivering content to users faster and by decreasing load on the server.
  2. Higher availability and scalability: Azure CDN improves availability and scalability by replicating content across a large number of servers around the world.
  3. Higher security: Azure CDN provides additional security through features like customised domain HTTPS and DDoS mitigation.

Due to this being a personal/demo site, I have no reason to enable CDN.


9. Scroll down to Azure Blob Storage.

I’ll enable the option to use an Azure Storage account to store website images and videos. This will become the default storage for when I upload images/videos to my WordPress site.

The wizard will also create a new Azure Virtual network to logically isolate services (Website and backend DB) into their own subnets.

Private DNS zone integration is required to connect to your Flexible MySQL Server in the Virtual Network using server name (fully qualified domain name). A new private DNS zone will be created or you can optionally choose an existing one linked to the selected Virtual Network.

Note: If you do not prefer the system generated default storage account and VNET names, create your Storage Account and Virtual Network prior to going through the wizard and use the drop down to select your options.


10. When ready, click Next: Deployment


11. Deployment slots are disabled if you selected the basic plan.

A staging site allows you to safely test your changes before deploying them to the production environment. It reduces the risk of breaking your live site or causing disruptions.

If you require deployment slots, you’ll require the standard or higher plan.


12. Click review+create and check the summary before clicking the Create button


The deployment process may take up to 15 minutes whilst the system creates your App Service Plan, App Service (WordPress Site), MySQL database, Private DNS Zone, Storage Account and Virtual Network configuration.

Possible deployment errors:

Error 1: Public access is not permitted on this storage account.

Azure now disable the option Allow Blob anonymous access on newly created Storage Accounts. We’ll be storing publicly accessible images to our WordPress site, this option needs to be enabled. Please ensure you do not store sensitive data in your Azure Storage blob container.

Access your newly created Storage account, click configuration from the left pane and enable Allow blob anonymous access

13. After the deployment succeeds, you can visit your WordPress site using the unique website name you specified earlier *.azurewebsites.net. This will trigger the installation of your WordPress site.


14. Once deployed you can continue to login to the backend WP Admin page by adding wp-admin to the end of the url, such as, yourwebsite.azurewebsites.net/wp-admin

Use the admin username and password you set in step 6 above.


Issue: New WordPress site displays a blank page.

Resolution: Login to the sites admin panel as per step 14 above. From the left pane, click settings, click permalinks and without making any configuration changes, click the save changes button. I usually set my permalink structure to post name, however this is not a requirement to resolve this issue. Clicking the save button without making any changes is sufficient. Try accessing the website again.

15. To avoid a brute force attack, I personally install a free limit login plugin which locks out anyone who attempts an incorrect username and password a few times in a row. The lockout is configurable. It works great for personal websites.


16. To install the limit login plugin, from the left pane, click Plugins and Add New Plugin


17. Search for Limit login


18. Select a plugin. I’ll be selecting Limit Login Attempts Reloaded. Click Install and then Activate.


19. Once installed, click Limit Login Attempts from the left pane, click Settings and scroll down to Local App to view the lock out policy. Amend the policy if needed.


20. I also change the publisher display name which appears on posts. For example, if you were to publish a new post, it would display published by username. Username being the login username to the website.

To change the display name, click Users and then All users from the left pane. Click your user, scroll down and in the first name field type a name different to your username. Then use the drop down (Display name publicly as) and select the new name. Click save.

21. Finally, because we selected to use Azure Storage Blob to store and publish images on the WordPress site, when you upload an image to a post it will automatically be stored in the Azure Storage Account you specified earlier.

I have uploaded the Azure logo to a post as shown in the image below.


If I right click the image and click copy image link, the image is being published from my storage account.

and that’s it. You can continue to develop your WordPress site as per your requirements.

I hope you found this post useful. See you at the next one.

Microsoft Entra Conditional Access Policy options explained

Posted on by Imran Rashid
Reading Time: 36 minutes


In this blog post I examine each of the configuration options available when configuring an Entra ID Conditional Access policy. There are a lot of Conditional Access policy configuration options, so grab hold of a drink and fasten your seat belt. 🙂

What is Microsoft Entra ID Conditional Access?
Conditional access is an intelligent policy engine that helps organisations better control how users access corporate resources. It brings together real time signals such as user context, device, location, and session risk information to determine when to allow, block, or limit access, or require additional verification steps. Use conditional access policies to check the device health and security posture of registered devices and ensure only healthy and trusted devices can access your corporate resources.

Conditional access takes in over 40TB of identity related security signals and analyses them using machine learning to determine the appropriate policy to apply to a resource.


Still confused about what Conditional Access has to offer? Let’s simplify Conditional Access further before we go through the options.

Conditional Access policies at their simplest are if-then statements; IF a user wants to access a resource, THEN they must meet certain requirements or complete an action. For example, if a user wants to access an application such as a Microsoft 365 application, then they must perform multifactor authentication (MFA) to gain access. Another example, IF a user is accessing a company application, THEN they must log in from a Windows 11 compliant device. These are just a couple of examples, Conditional Access offers a lot more and I’ll be going through what each configuration option inside a Conditional Access policy means. If you want to learn more about Conditional Access, visit the following link, What is Conditional Access.

Note: It is important that you plan your policies carefully to avoid undesirable results.

Let’s get started.

How do I access Conditional Access?
A great place to start would be knowing how to get to Entra Conditional Access.

There are a a number of ways to access Conditional Access. We’ll be focusing on two common places including access via entra.microsoft.com and the Azure portal at portal.azure.com

1. Entra portal: Visit entra.microsoft.com, expand Protection (from the left pane) and click Conditional Access.

2. Azure Portal: Visit portal.azure.com, search for Entra ID and click to access Entra ID. Click Security (under the Protect menu) from the left pane, and click Conditional Access.

Is conditional access free?
No, Conditional Access in Microsoft Entra ID is a premium feature which requires a minimum of Entra ID P1 licenses. However, if you wish to configure certain features, such as Identity Protection (user risk and sign risk detection), you will require Entra ID P2 licenses. User risk and Sign-in risks are configured within Conditional Access. I’ll cover the options later in this post. You can click the following link to learn more about Identity Protection, What is Identity Protection?

To summarise, Conditional Access is a licensed feature and requires a minimum of P1 licenses in most cases, however, certain features require P2 licenses.

Conditional Access policy options explained

Important note before we continue
It is important that you plan your policies carefully to avoid undesirable results. The purpose of this post is to go through the configuration options available in a Conditional Access policy. To learn more about Conditional Access policy best practices, visit the following link, Conditional Access Policy Recommendations.

For the purpose of this post, I will be accessing conditional access via entra.microsoft.com

1. Click the option to create a new Conditional Access policy as shown in the image below.
Access via entra.microsoft.com > expand Protection from the left pane and click Conditional Access.

2. This will get you started with an empty Conditional Access policy as shown in the image below.

Policy name


Give your policy a name, for example, for demo purposes I could use a name of Require multifactor for admins or Block legacy authentication.

There are recommendations for policy naming conventions from Microsoft that you may wish to consider when naming your policies, or you may have your own naming format. A properly defined naming convention helps you and your colleagues understand the purpose of a policy, which enables easier policy management and troubleshooting.

The recommended naming policy is based on personas, policy types, and apps. It looks like this:

<CANumber>-<Persona>-<PolicyType>-<App>-<Platform>-<GrantControl>-<OptionalDescription>

For example,

CA001-Admins-IdentityProtection-AdminPortals-AnyPlatform-AllowCompliantDeviceMFA

Whatever naming format you use, ensure it is easy to understand the purpose of the policy without having to open the policies to check.


Here is the link for further details, Conditional Access framework and policies.

Assignments

This is where you configure to whom you would like this policy to apply.

Click the option, O users and groups selected, as shown in the image below,


The below options will become available to you.

Options in image below show,

Tab: Include
– None
– All users
– Select users and groups



Tab: Exclude
– Guest or external users
– Directory roles
– Users and groups

There are a few options available. You could apply the policy to all users but be careful as the warning below advises.

Warning: Don’t lock yourself out! This policy will affect all of your users. We recommend applying a policy to a small set of users first to verify it behaves as expected.



It is important to understand that depending on the type of policy, you could block yourself and all admins from logging in. A call to Microsoft support maybe required to allow you back into the portal which is a task you want to avoid, as it could be a lengthy process.

Note: Microsoft offer a what-if tool which allows you test the impact of a policy if applied. Furthermore, there is also an option to enable the policy in report only mode. Both options can help you audit/test prior to enabling policies. I will discuss these options later in this post.

You also have the options to assign the policy to guest users, specific Entra ID directory roles or select users or groups from inside your organisation. Directory roles are built in Entra ID roles, such as Global Administrators, User Administrators and more. A list of all built in Entra ID roles including permissions each role is granted are documented at the following link, Microsoft Entra ID built-in roles.


The exclude option could be used to exclude certain users or roles from the policy. For example, depending on the type of policy, you may wish to exclude admins or break glass accounts.

Break glass accounts
It is important that you prevent being accidentally locked out of your Microsoft Entra organisation, because you won’t be able to sign in or activate another user’s account as an administrator if a policy blocks all access. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organisation. It is recommended to add the break glass accounts into a security group and then exclude the group. For more information on the importance of break glass accounts and how to monitor them, click the following link Azure Emergency Break Glass Accounts.


Guest or external users
Before moving onto the next tab, I would like to cover a few options available under Guests and external users.


When configuring a Conditional Access policy, you have granular control over the types of external users you want to apply the policy to. External users are categorised based on how they authenticate (internally or externally) and their relationship to your organisation (guest or member). The options available in the drop down down list include:

B2B collaboration guest users
This is your general guest account, where you invite a guest from outside your Entra ID tenant. For example, you may wish to invite someone who will be assisting you with a project.

B2B collaboration member users 
This B2B collaboration user has an account in an external Microsoft Entra organisation or an external identity provider (such as a social identity), however they have member level access to resources in your organisation. This scenario is common in organisations consisting of multiple tenants, where users are considered part of the larger organisation and need member level access to resources in the organisation’s other tenants. The user object created in Microsoft Entra directory has a user type of Member and not guest like the one we covered above.

B2B direct connect users 
B2B direct connect is a new way to collaborate with other Microsoft Entra organisations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two way trust relationships with other Microsoft Entra organisations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren’t added as guests to your Microsoft Entra directory. When two organisations mutually enable B2B direct connect, users authenticate in their home organisation and receive a token from the resource organisation for access. You’re basically creating a trust between two Entra ID environments without having to provision guest accounts in each tenant.

I have covered B2B collaboration previously in the two posts below.

Post 1: Entra ID cross-tenant access
Post 2: Azure Entra ID B2B External Collaboration Settings Explained.

Local guest users
Local guest users have credentials that are managed in your directory. Before Microsoft Entra B2B collaboration was available, it was common to collaborate with distributors, suppliers, vendors, and others by setting up internal credentials for them and designating them as guests by setting the user object User Type to Guest. This is still possible. You can create a user account and a password in your Entra ID Directory but configure the user as a guest so they don’t receive the permissions that a member/employee would receive in your organisation. This provides the guest with a user ID from your organisation, for example user@imranrashid.co.uk but limited to guest permissions instead of permissions an employee would receive as a member user. To learn more about default guest permissions, visit the links I posted above.

Service provider users
These are organisations that serve as cloud service providers for your organisation. An organisation that manages your Azure platform on your behalf. The isServiceProvider property in Microsoft Graph is set to true. If the value is not set to true and is null, these settings inherit the behavior configured in your default cross tenant access settings.

Other external users
Applies to any users who don’t fall into the above categories, but who aren’t considered internal members of your organisation, meaning they don’t authenticate internally via Microsoft Entra ID, and the user object created in the resource Microsoft Entra directory doesn’t have a User Type of Member.

Target resources

Here we can configure what cloud apps we wish to target.


Click No target resources selected as shown in the image above. This will direct you to the area where you can control target resources as shown in the image below.


Be careful when selecting specific cloud apps as this could cause a problem when new apps are added to your environment in future as they will not be included and therefore won’t be protected. You may want to include all apps so it covers all apps and automatically include any new apps you introduce in the future. Be careful when pushing out a policy to all cloud apps so you don’t lock yourself out as the warning suggests below. I’ll discuss ways to test your policies before pushing them out to production later in this post. Make use of exclusions and exclude accounts such as break glass accounts as I mentioned earlier. This will ensure that you have a way to log back into the environment to investigate and resolve the issue.

For the purpose of this demo I’ll be selecting an individual cloud app so I can go through a few of the options available.


Click the option Select Apps and click None under Select


I could select Office 365,


This means whatever policy I configure would apply to 365 applications, such as:

I could also include my own Entra ID registered applications or utilise the built-in Entra ID applications. These could be my own apps where I have utilised Entra ID as an identity solution, allowing my users to login using their existing login account. For example, the same account they use to login to 365 services such as Teams, Exchange Online, SharePoint online and so on.

Microsoft Admin Portals

I could select Microsoft Admin Portals as shown in the image below.


Microsoft Admin Portals would apply the policy to all admin portals, listed below at the time of writing this post. For example, I could create a policy that requires admins to go through MFA before being allowed to login to any of the below admin portals.

Source: Microsoft website

Microsoft Azure Management

Microsoft Azure Management covers access to the Azure Portal, portal.azure.com and the Microsoft Entra admin centre, along with other services, such as Azure Resource Manager, Azure Data Lake, Applications Insights API, Log Analytics API, Azure Powershell, Azure CLI, Azure DevOps and more. A complete list is available at the following link, Microsoft Azure Management.


Intune enrollment

Another example, you may want to specify that if an admin attempts to enroll a device into Intune, they must go through Multi Factor Authentication.


That’s just a few cloud apps. Note that only 30 results are listed, however, using the search box, you can search for additional apps, such as Salesforce. See image below.


As always, you could also use the exclude option to remove certain apps from this policy.


There is an Edit Filter option available under Cloud Apps as per the screenshot below. This option allows you to use Entra ID Custom Security attributes as part of your conditional access policies. Why would you use this? For example, you could create and apply a Security Attribute for users who are security cleared or have a certain certification. Then use this option in conditional access to only allow access to a sensitive application for users who are certified. I published a post on Custom Security Attributes. Click the following link to learn more, Microsoft Entra ID Custom Security Attributes.


Here are the options I have available as I have previously created a custom security attribute in Entra ID.


User actions


There are two options available when clicking user actions,


Register security information:
Prior to combined registration, users registered authentication methods for Microsoft Entra multifactor authentication and self service password reset (SSPR) as two separate tasks. This caused confusion as similar methods were used for multifactor authentication and SSPR. Microsoft introduced combined registration, allowing users to register once and get the benefits of both multifactor authentication and SSPR.

A scenario where you could utilise the option Register Security Information is if an organisation would like to enforce users registering for Microsoft Entra multifactor authentication and SSPR from a central/trusted location like an office instead of from an untrusted location, or from a compliant device and so on. I’ll cover the compliant device option later.

Register or join devices:
An organisation may wish to enable this policy to enforce MFA (Multi Factor Authentication) for users registering or joining devices to Entra ID. This provides an extra layer of security. Previously, prompting a user for MFA prior to a device being joined to Entra ID was possible, however, this was a global setting via Identity > Devices > Overview > Device Settings. This option available in conditional access allows additional granular control.

Global Security Access (Preview)


What is Entra Global Security Access?
Global Security Access is a feature recently introduced and still in preview at the time of writing this post. At its core, Microsoft Entra Global Secure Access serves as a gateway, allowing users to connect to corporate applications, data, and services securely, regardless of their physical location. It has two major components including Microsoft Entra Internet Access and Microsoft Entra Private Access.

Microsoft Entra Private Access
You may be familiar with Application Proxy. Thousands of customers use it to access private web apps hosted on-premises. Entra Private Access is the premium version of Application Proxy, where Microsoft have extended those components to do much more. Entra Private Access allows users to access resources located on-premises without requiring a VPN client. As mentioned above, it’s a premium version of Application Proxy, however, with private access we can access non web based services, such as SSH, RDP, SMB, TCP/UDP based applications and http/https. Entra ID App Proxy only supports web applications.

Microsoft Entra Internet Access
Microsoft Entra Internet Access is a Secure Web Gateway (SWG) offering secure access for internet, SaaS (Software as a Service), and M365 (Microsoft 365) apps and resources whilst protecting your users from internet threats. The Internet traffic can be managed through traffic profiles. It’s basically designed to protect your users from threats on the Internet. For example, you can block access to all external destinations for your high risk users or non compliant devices except self service password reset pages. It also extends the conditions of Conditional Access with network conditions. This would prevent, for example, a stolen access session token from being replayed by requiring a user to be on a compliant network to access resources. We discuss compliant network later.

Administrators can use Conditional Access policies to secure traffic profiles. They can mix and match controls as needed like requiring multifactor authentication, requiring a compliant device, or defining an acceptable sign-in risk. For more information, visit the following link, Universal Conditional Access through Global Secure Access and What is Global Secure Access (Preview).

Authentication context


Authentication context is used to secure data and actions in applications such as SharePoint, Microsoft Defender for Cloud Apps (MDCA), and Entra ID Privileged Identity Management.

For this to work, we first create a Authentication Context via Conditional Access and then clicking Authentication Context from the left pane. We can then create a Conditional Access Policy and select the newly created authentication context. The conditional access policy could be configured with additional options such as require MFA or require the device to be Entra ID joined.

But why would we do this? well, now that we have created a conditional access policy we could assign this to services such as Azure Privileged Identity Management (PIM). A new option is available in PIM which allows you to integrate role activation to use conditional access via a authentication context. Previously, a user could activate a high privileged role using MFA only. With authentication context we can now use Conditional Access policies so that a high privileged role can only be activated by the user if the users device is marked as complaint and the device is Entra ID joined, or if the user is using passwordless. We have a lot more control with authentication context.

If you’re wondering where this option is available in PIM, see image below. Thanks to authentication context we can now secure the process of activating a role combined with conditional access.


Another use case of authentication context
An organisation may keep files in SharePoint sites like the lunch menu or their top secret chilli sauce recipe. Everyone may have access to the lunch menu site, but users who have access to the top secret chilli sauce recipe site may need to access the ingredients from a managed device and agree to specific terms of use. You could apply the authentication context to a site or using Microsoft Purview sensitivity labels to apply the authentication context to labeled sites. More info including license requirements, implementation instructions and limitations are available at the following link Conditional access policy for SharePoint sites.

The option to configure authentication contexts is available from the left pane.

Conditions

Back to the options on the left, we have conditions


Click O conditions selected to go into the configurable options as shown in the image above.

User Risk and Sign-in risks are features of Entra Identity Protection (P2 license feature if you wish to enable automated user remediation). Microsoft Entra ID Protection helps organisations detect, investigate, and remediate identity based risks. For example, if a sign-in risk is detected, where a user is trying to sign in from an anonymous IP address, or from an unknown location where they have never logged in from before or other suspicious behavior, Identity Protection could prompt the users to prove that it is really them who is logging in by requesting for MFA. With Conditional Access policies you can configure the detection of user and sign-in risks based on low, medium and high risk. You can learn more about this feature at the following link, What is Identity Protection

Note: Microsoft recommend you configure User risk and Sign-risk via conditional access policies instead of using the legacy identity protection pane which is due to be retired October 1, 2026. The migration process from legacy Entra Identity Protection to Conditional Access can be found at the following link, Migrate Risks Policies from Entra ID Protection to Conditional Access.


An image of the legacy Entra ID Protection portal is shown below with the following message,

“We recommend migrating user risk policy to Conditional Access for more conditions and controls.”


You would receive a similar message when clicking Sign-in risk policy from the left pane.

“We recommend migrating sign-in risk policy to Conditional Access for more conditions and controls.”


User risk and Sign-in risks via Conditional Access

User risk and Sign-in risks should be configured in Conditional Access as shown in the images below.


Insider risk (preview)

At the time of writing this post, Insider risk was a new option available in Conditional Access.

Before discussing this new option available inside Conditional Access, it’s important to know that Insider Risk Management is part of Microsoft Purview. Insider risk is more than just a security problem as it involves insiders who already have access to your environment. The majority of data breaches resulting in data theft, around 63% of all incidents, are caused by people, insiders, working inside your organisation. Source: Rethinking Security from the Inside, Microsoft.

With all the activities that your employees and vendors perform in Microsoft 365 each day, it can be difficult to know which ones might be posing a risk to your organisation. This is where Insider Risk Management can help detect a broad range of user activities across Microsoft 365, allowing you to investigate those activities to identify potential risks. This can be performed whilst anonymising user names if needed to help meet privacy standards. When setting Insider Risk for the first time, you can perform a scan to detect recent user activities across Microsoft 365 locations. When completed, you can review anonymised potential risks, for example, files were shared externally by 3% of users, 1% copied sensitive data to a USB, 2% of users sent email externally and more. Based on the results, Inside Risk Management can recommend data theft and data leak policies to set up. Once you have decided what types of risk activities you wish to detect, you can setup your first policy by selecting a policy template, for example, Data Theft, Data Leaks or Security Policy Violations related to the activity you want to track. You then add the users whose activity you want to analyse and select indicators such as the ones below. You can track activity across SharePoint, Teams, 3rd party apps and more.

  • Deleting files, such as SharePoint files.
  • Unusual number of downloads
  • Copy files to USB
  • Email sensitive Information
  • Add external users to sensitive teams
  • Delete sensitivity labels
  • Multiple failed logins
  • Send sensitive message
  • Downloading content from OneDrive
  • Sharing SharePoint files with people outside of your organisation
  • Using a browser to upload files to the web
  • Printing files
  • Reading sensitive files on a device
  • Files copied to remote desktop session
  • and more.

Next, you select a triggering event which determines when the policy starts assigning risk scores to a user’s activity, such as events based on a user resignation trigger, poor performance trigger, job level change trigger and more. For example, if you selected the template for data theft template, you can trigger a policy to assign a risk score when a resignation date is added for a user by HR.

When a triggered event is detected, for example a user has submitted their notice to resign in 4 weeks time and that user performs an activity which matches the policy threshold, such as downloading data from SharePoint, an alert appears including which activities the user performed, including risks scores assigned to each activity, for example,

Deletion: Files were deleted – Risk score 80/100
Exfiltration: Files were printed – Risk score 50/100
Collection: Files were downloaded from SharePoint – Risk score 31/100
Obfuscation: Files were renamed – Risk score 24/100
Sequence: Files exfiltrated and cleaned up – 90/100

You can further dig down and explore which files names, location such as SharePoint, device name, any applied sensitivity labels (such as Confidential), sensitive info types (such as Credit Card Number) and more.

If an alert needs to be investigated further, you can create a case to dive deeper and identify the activities which is also capable of creating workflows, for example, automatically creating a Microsoft Team to help you collaborate with others who can assist with the investigation. You can review all activity related to the user from a single pane of glass. If a further legal review is required you can escalate the case to create an advanced eDiscovery case where legal teams can review and take further action.

So back to the topic 🙂

How does this work with Conditional Access and how can we stop such threats?
With the new Insider Risk condition in Microsoft Entra’s Conditional Access. Insider risk protections which is powered by the existing adaptive protection available as part of Microsoft Purview, ensure that users can access resources as usual when their risk level is low. However, if something changes to elevate their insider risk level, access to critical assets can be blocked automatically. This is powerful in situations where the user inside of your organisation is the perpetrator of a data breach versus an external threat that has compromised the user account. Insider risk assigns an insider risk level to a user across three tiers, minor, moderate, and elevated, and policy controls can be defined for each risk level. For example, if specified, a user with an elevated risk can be automatically blocked from accessing Microsoft 365, SaaS apps, and even your on prem resources. 

This new feature within Conditional Access can also be combined with other options available within Conditional Access, such as user risk and sign-in risk part of Identity Protection incase there is a genuine attempt to compromise the user’s account or the likelihood the users sign-in has been compromised. You can also include other conditions such as the users device, location, private access and so on.


We have three options available inside Conditional Access including Elevated, Moderate or Minor.

Elevated:
For example, you may wish to automatically block access to critical assets when insider risk levels are at an elevated level, ensuring data security and compliance. A user today may be marked as moderate or minor, but in future they hand in their resignation which raises their risk level to elevated. They now decide to connect to an on-premises virtual machine to put in place software on a machine which can serve as a jump box allowing them to connect to resources after they leave the company. Insider Risk in Conditional Access combined with with Entra Private Access (covered earlier in this post) could block access to the on-premises machine.

Moderate:
User performed activities that might indicate a moderate degree of risk. While not as severe as an elevated risk, you may still take appropriate actions to prevent further risky activity from occurring such as requesting passwordless authentication and asking the user to accept a data terms of use so they can acknowledge the company policy before continuing into an application such as Salesforce. I’ll cover setting up terms of use later in this post.

Minor:
User performed activities that might indicate a minimal degree of risk.

Device platforms

This options allows you to select what devices you require your policy to apply or exclude.

For example, apply the policy to IOS (iphone, Ipad) devices only.

Note: Conditional Access identifies the device platform by using information provided by the device, such as user agent strings. Since user agent strings can be modified, this information is unverified. Device platform should be used along with Microsoft Intune device compliance policies or as part of a block statement.

Microsoft recommends that you have a Conditional Access policy for unsupported device platforms. As an example, if you want to block access to your corporate resources from Chrome OS or any other unsupported clients, you should configure a policy with a Device platforms condition that includes any device and excludes supported device platforms and Grant control set to Block access.

Locations

Here we can assign a policy based on a location.

These named locations could include the public IPv4 or IPv6, country/region, unknown areas that don’t map to specific countries/regions, and Global Secure Access compliant network.


You could also create a custom trusted locations list, for example, including office IP addresses. This can then be included in your Conditional Access policy. To setup a locations list, go back to the conditional access overview page and click named locations under the Manage section in the left pane.


You can then select Countries location or IP ranges location.


What is All Compliant Network locations (in preview)


This feature was in preview at the time of writing. If it’s not visible it’s because you have not enabled Global Secure Access. I provided an explanation of this service further up in this post.

Organisations who use Conditional Access along with Global Secure Access can prevent malicious access to Microsoft apps, third party SaaS apps, and your business apps using multiple conditions to provide defense in depth. These conditions may include device compliance, location, and more to provide protection against user identity or token theft. Global Secure Access introduces the concept of a compliant network within Conditional Access and continuous access evaluation. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators. You can configure custom policies that, for example, would block access to resources unless connected to the Microsoft Security Service Edge which is part of Global Secure Access.

More info and configuration steps on how to activate Global Secure Access in your tenant is available at the following link, Enable compliant network check with Conditional Access

Note: Global Secure Access was in preview at the time of writing this post.

Client apps


Modern Authentication Clients


Modern authentication clients include web-based applications that use security protocols such as SAML, WS-Federation or Open ID Connect. These are modern authentication methods supported in Entra ID.

Legacy Authentication Clients


Sign-in from legacy authentication clients don’t support multifactor authentication (MFA) so can bypass MFA. MFA is a common requirement to improve security posture in organisations. It’s recommended that legacy authentication is disabled if possible. If you have accounts which must use legacy authentication, you must either exclude those accounts from the policy, or configure the policy to only apply to modern authentication clients. Legacy authentication clients include older office clients and mail protocols (POP, IMAP, SMTP and MAPI). Legacy authentication protocols can’t enforce MFA, making them preferred entry points for adversaries attacking your organisation.

Based on Microsoft’s analysis more than 97 percent of credential stuffing attacks use legacy authentication and more than 99 percent of password spray attacks use legacy authentication protocols. These attacks would stop with basic authentication disabled or blocked.

Filter for devices

Filter for devices allow you to apply policies to devices based on a criteria. For example, you could specify to apply a policy to machines using certain operating systems, device manufacturer, model and more. You’ll find a number of built in properties in the list, however, you can also create your own custom attributes, known as extensions.

Authentication flows (Preview)

Authentication flows was in preview at the time of writing this post. Authentication flows include two configurable options, Device code flow and Authentication transfer.

Device code flow
Use case: you’re on a device which is not able to perform self authentication, for example, you are not able to open a browser, and instead you have to use command based access such as Azure CLI using the command az login –use-device-code.

When you use a device flow on that device, for example using a command as mentioned above, the device will generate a code and will provide a url. That url can now be accessed from a different device where browser access is available. You access the provided URL and input the code, login with an account you wish to authenticate with such as your Entra ID account, and the session is authenticated from that secondary device on behalf of the original device.

Note: You should only allow device code flow where necessary. Microsoft recommends BLOCKING device code flow wherever possible. Device code flow can be prone to a phishing attack, for example a bad actor calls a user and says I am from “Microsoft” and we have noticed some unusual activity on your account. I need to confirm that I am talking to the user and not someone else. The bad actor could trick the user by providing them the code they generated and ask the user to authenticate the code using their identity. The bad actor has now been authenticated and acting as the user.

Authentication transfer
Use case: Authentication transfer is a way to transfer authenticated state from one device to another. For example, you could be presented with a QR code within the desktop version of Outlook that, when scanned on your mobile device, transfers the authenticated state to the mobile device via the Authenticator App. This is not as prone to a phishing attack compared to a device code flow, but it can still be used in a phishing attack, for example, a bad actor asks you to send them a picture of the QR code.

Note: you should block Authentication transfer unless there is a requirement.

In Conditional Access we can block the above capability for all cloud apps and all users (excluding certain accounts). However, we could allow where there are reasons to do so by securing the process further by enabling additional checks such as is the machine compliant.


Check Authentication Transfer and Device Code Flow Logs
If you wish to check if you’re using device code flows or Authentication transfers in your organisation, you can check this within the Entra ID sign-in logs by filtering for Authentication Protocol and Device Code or Authentication Transfer. Further logs can be collected by filtering for Original transfer method and then click Device code flow or Authentication transfer.

Grant

Back to the left pane, we have grant. This is the THEN part of Conditional Access. Here is where we configure what we want the policy to do IF conditions are met.

We can block or grant access.

Let’s go through the available options.

Require multifactor authentication

The user must perform Multi Factor Authentication such as authenticating via the Authenticator App, phone call or text before they are allowed to proceed with signing in.

Require Authentication Strength

Authentication strengths can enforce that only phishing resistant authentication methods be used to access a sensitive resource. For example, a HR user wishes to use a HR app which includes sensitive data. You could force HR users to use a FIDO2 Yubi Key to authenticate. We can choose from three built in authentication strengths including Multifactor authentication strength, Passwordless MFA strength, and Phishing resistant MFA strength. We can also create a custom authentication strength based on the authentication method combinations we want, for example, you don’t wish to use SMS and voice call based MFA, but instead you enforce that users use Authenticator App or Phishing resistant authentication methods such as FIDO2 and Windows Hello For Business. The advantage of Authentication Strengths is that we can mix authentication strengths as needed and then use Conditional Access to apply them.


You can create custom strengths or view the built in ones by clicking Authentications Strengths from the left pane.

Require device to be marked as compliant
Organisations that deploy Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Microsoft Entra ID so Conditional Access can decide to grant or block access to resources based on the state of the device, for example, the device must have Windows 10 or above installed, must have Endpoint protection installed and so on. You could base your Conditional Access policy on the status of a device such as organisation owned and users personal devices, and if the device is compliant. If not, you may decide to block or provide reduced access to your organisational resources.

Require Microsoft Entra hybrid joined device

Microsoft Entra hybrid joined devices are joined to your on-premises Active Directory and also registered with Microsoft Entra ID. Organisations can require that user devices are Microsoft Entra hybrid joined or access is not granted.

Require approved client app


Note: The approved client app option is retiring in early March 2026. Organisations have until March 2026 to migrate to Application Protection Policy. Covered in the next section below.

After March 2026, Microsoft will stop enforcing require approved client app control, and it will be as if this grant isn’t selected. Use the following steps to migrate to App Protection Policy before March 2026 to protect your organisation’s data. Migrate approved client app to application protection policy.


The following client apps support approved client app.

Source: Grant controls in Conditional Access policy

Require app protection policy

App protection policies come from Intune and are rules that ensure an organisation’s data remains safe or contained in a managed app so users can not copy and paste data outside of your organisation applications, such as preventing the saving of company app data to a personal storage location. Furthermore, you can use app protection policies to require a mobile pin or finger print before a user accesses corporate email on their personal or business device. For more information and additional capabilities of app protection policies visit the following link App protection policies overview – Microsoft Intune.

In Conditional Access policy, you can require that an Intune app protection policy is present on the client app before access is available to the selected applications. If an Intune app protection policy is not present, access could be denied.


A further link appears under the option Require app protection policy advising that there is a list of policy protected client apps this control supports. Below is the current list.

Source: Grant controls in Conditional Access policy – Microsoft Entra ID

For multiple controls – require all the selected controls or require one of the selected controls

Specify whether you wish for all selected controls to apply, for example, the device must be compliant and MFA (Multi Factor Authentication) is required, or the user needs to meet one of the conditions, either MFA or the device must be compliant.

Session

Back to the left pane, we continue to session controls.


and we have the following options



Use app enforced restrictions


This configuration only supports Office 365, Exchange Online and SharePoint Online. The reason why the below option is greyed out is because I need to go back to the Cloud App settings and select 365, Exchange Online or SharePoint from the drop down list. Note that before configuring app enforced restrictions there are steps you need to take for Exchange Online or SharePoint online.

So what does this setting do in Conditional Access? you could prevent users from downloading email attachments from an outlook browser that your user may access from a non company managed device. If a user attempts to login to Outlook online from a non company device and attempts to download an attachment, they would be presented with a message such as the one below.

Your organisation doesn’t allow you to download or print attachments from this device or browser. You can still view the attachments in your browser, For more information, contact your IT administrator

For SharePoint, this control within Conditional Access could disable the download option if a user attempted to access SharePoint online from a non company managed device.


Use Conditional Access App Control

This feature integrates with Defender for Cloud Apps


It allows you to add additional control to SaaS (Software as a Service) third party applications in Entra ID, such as SalesForce, or you could apply the policy to Microsoft cloud apps such as Microsoft Teams.

You could setup a policy that integrates with a policy inside Defender for Cloud Apps, for example,

If a user attempts to access Salesforce from an unmanaged device, prompt them for MFA, however provide them with limited access to Salesforce only, and prevent the download of PDFs within Sales Force.

Another example could be,

If a user attempts to download a Word Document containing certain keywords, wrap the document with a sensitivity label of confidential which could then implement restrictions to the document such as preventing the user from copy/paste, printing and download.


Sign-in frequency

Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. Administrators can select a period of time (hours or days) or choose to require reauthentication every time.



Persistent browsing

A persistent browser session allows users to remain signed in after closing and reopening their browser window. Persistent browser only works correctly when all cloud apps have been selected. If the option is greyed out, it’s because you have not applied the policy to all cloud apps.


Customize continuous access evaluation


In Entra ID, Azure uses OAUTH 2.0 as one of it’s authentication protocols and is one of the standards used to authorise users and applications to Entra ID. During the authentication process a device receives a refresh and access token. This access token includes the user identity information and has a default lifetime of 60 – 90 minutes. Now, what if an incident occurs where you need to disable the user urgently because a laptop has been stolen from a users desk by a bad actor and the device was not locked by the user when they left the desk. The bad actor has access to your organisation applications and data for up to 90 minutes or less depending on when the laptop was stolen, because the access token is still valid. Worrying, right?

Continuous Access Evaluation (CAE) allows access tokens to be revoked based on critical events and policy evaluation in real time rather than relying on token expiration. There are a number of key benefits when using this option including:

  • when a user account is disabled or the password is changed, the user session revocation is enforced in near real time.

  • network location change: Conditional Access location policies are enforced in near real time. You could assign the policy to a trusted named location. If a laptop is taken from a trusted location and the bad actor attempts to open your cloud app and access company data, they would be prevented from doing so due to the new location not being trusted. This may be a little difficult to configure especially if users are working from different locations. Note at the time of writing this feature was in preview so not recommended for production use.

  • Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies (Strictly enforce location policies). Token export refers to a bad actor stealing the users access token and replaying it on a different device. The bad actor may steal the token by sending the user a phishing email including a link which when clicked resembles the Microsoft sign-in page. The user inputs their details and the bad actor retrieves the token.

Continuous access evaluation currently evaluates and can revoke the token when a

  • user account is deleted or disabled
  • password for a user is changed or reset
  • multifactor authentication is enabled for the user
  • administrator explicitly revokes all refresh tokens for a user
  • high user risk detected by Microsoft Entra ID Protection

Note: this feature does not currently support all services, visit the following link for limitations.

Note: Continuous Access Evaluation (CAE) does not currently support report-only mode. More on report-only mode later.


Disable resilience defaults


Resilience defaults are automatically enabled for all new and existing policies, and Microsoft highly recommends leaving the resilience defaults enabled to mitigate the impact of an outage (don’t click the option to disable). Admins may disable resilience defaults for individual Conditional Access policies.

What is the purpose of resilience defaults? Let’s find out.

If there was an outage of the primary authentication service, the Microsoft Entra Backup Authentication Service (Resilience Defaults) would automatically issue access tokens to applications for existing sessions when the 60 – 90 minute access token expires. This functionality may significantly increase Microsoft Entra resilience, because reauthentications for existing sessions account for more than 90% of authentications to Microsoft Entra ID, meaning most of your users would continue working without issues.

The Backup Authentication Service doesn’t support new sessions or authentications by users, so if there was an outage, new users/sessions would not be able to authenticate. However, as mentioned above, existing users would who are already logged in and have had an access token and refresh token issued would not be affected. Clicking to disable this feature within Conditional Access means that you don’t wish to use the backup service in the event there was an issue with Entra ID. If resilience defaults are disabled and there is an outage with the Microsoft Authentication service, access will be denied for all users once existing tokens/sessions expire.

For more information on how this service works under the hood, click the following link, Resilience defaults for Microsoft Entra Conditional Access.


Require token protection for sign-in sessions (Preview)


Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replaying a token, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant.

Token protection creates a cryptographically secure tie between the token and the device (client secret) it’s issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Microsoft Entra ID, their primary identity is bound to the device. Therefore if a bad actor steals the token and attempts to replay it on a new device, it will not work.

Report-only mode

Enabling a policy in report-only mode will allow you to evaluate the impact of Conditional Access policies before enabling them in your environment. You can review the reports in Entra ID sign-in logs and after you feel confident that the policy will not cause issues, you can switch the policy to on. Off will disable the policy.

Create new policy from Microsoft provided templates

Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations. Basically, instead of you having to create a policy manually, most of the work has been done for you via Microsoft provided templates that you can review and apply to your environment.

Conditional Access Coverage

This tab will provide you with statistics on top applications with and without conditional access coverage in the last 7 days. This can give you an idea of where you’re not applying Conditional Access policies.


Another useful tool is the Conditional Access gap analyser workbook. With the Conditional Access gap analyser workbook you can detect gaps in your Conditional Access implementation. This is great as it provides you with an overview of where you may not have applied Conditional Access Policies. As an IT administrator, you want to ensure that your Conditional Access policies work as expected to ensure that your resources are properly protected as missing resources could pose a security risk. This workbook highlights user sign-ins that have no Conditional Access policies applied to them and allows you to ensure that there are no users, applications, or locations that have been unintentionally excluded from Conditional Access policies.

To access this workbook,

  1. Access entra.microsoft.com
  2. From the left pane expand Identity
  3. Click to expand Monitoring & Health
  4. Click Workbooks
  5. Here you can access a number of different workbooks including Conditional Access Gap Analyzer

What if

The Conditional Access What If policy tool allows you to understand the result of Conditional Access policies in your environment. Instead of test driving your policies by deploying a a policy to production and then performing multiple sign-in tests manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the result this sign-in has on your policies and generates a report. The benefit is that you get an idea of what the result will be, for example, if a user logs in from a Windows 11 device which is not compliant and logs in from a specific location.

  1. To access the What if tool, click Policies from the left pane


2. and then click What if


Here you can test the impact of your policy before enabling.

Custom controls (Preview)


Custom controls were in preview at the time of writing and there are still a number of limitations and ongoing changes.

When using custom controls, your users can be redirected to a compatible service to satisfy authentication requirements outside of Microsoft Entra ID. When a user attempts to sign-in, they can be redirected to a third party, perform authentication and return to Microsoft Entra ID for validation before the user is allowed to continue.

As per a blog post Alex Simons at Microsoft, there was an announcement that in future it may be possible to use Custom Controls to redirect to a third party MFA (Multi Factor Authentication) solution. Here is the post, Upcoming changes to Custom Controls – Microsoft Community Hub. Note that preview features can be removed and there is no guarantee that it will make it to GA (General Availability).

Custom Controls works with a limited set of approved authentication providers. Each non Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service. At that point, the provider gives you a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider.

Terms of use

Terms of use policies provide a simple method to present information to end users. Organisations can use Terms of use along with Conditional Access policies to require employees or guests to accept your Terms of use policy before they are allowed access.


After creating a policy, a Terms of use checkbox will appear in the grant control list when creating a Conditional Access policy as per the image below. If selected, users would need to accept Terms and conditions before being able to access your applications.

VPN connectivity


With Microsoft Entra Conditional Access for virtual private network (VPN) connectivity, you can help protect your VPN connections. You can enforce Conditional Access to remote users who connect in to your environment using VPN. For example, prompting users for MFA, ensure a device is compliant, restrict to locations and more.

Here is where you would create the certificate.


For more information on VPN integration with Conditional Access, visit the following link, Configure conditional access for VPN connectivity using Microsoft Entra ID

Insights and reporting

This workbook was designed to help admins understand the impact of their Conditional Access policies by aggregating sign-in results. The Conditional Access insights and reporting workbook enables you to understand the impact of Conditional Access policies in your organisation over time. During sign-in, one or more Conditional Access policies might apply, granting access if certain grant controls are satisfied or denying access otherwise. Because multiple Conditional Access policies might be evaluated during each sign-in, the insights and reporting workbook lets you examine the impact of an individual policy or a subset of all policies. This feature requires that you setup a Log Analytics Workspace to store the data and once data is gathered over time, you’re presented with a dashboard and statistics allowing you to review past and ongoing Conditional Access policy data.

and before we end this post, here are a few Conditional Access policy configurations to avoid.

Conditional Access policy configurations to avoid

  • Block access for ALL, including users, cloud apps and all platforms. You don’t want to be blocking your entire organisation.

  • Require ALL devices to be marked as compliant for all users and cloud apps
    For users who have not yet enrolled their devices, this policy blocks all access including access to the Intune portal. If you are an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.

  • Require Hybrid Microsoft Entra ID domain joined device for all users and cloud apps
    This access blocking policy has the potential to block access for all users in your organisation if they don’t have a hybrid Microsoft Entra ID joined device.

  • Require app protection policy for all users and cloud apps
    This access blocking policy has the potential to block access for all users in your organisation if you don’t have an Intune policy. If you are an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.

and that’s it.

I hope you found this post useful. If you have any questions or feedback, please feel free to comment below.

Thank you and see you at the next post 🙂

Microsoft Entitlement Management – Create an Access Package

Posted on by Imran Rashid
Reading Time: 11 minutes


In this post I will explain the purpose of Microsoft Entitlement Management and a step by step set up guide.

What is Entitlement Management?
An employee joins a company or a new team and has no idea what groups, applications, and SharePoint Online sites they require access to perform their job. When the employee finally figures out what access is required, they face difficulty locating the right individuals to approve their access. Furthermore, the employee may not have been able to locate all the resources they require access to. But it gets worse because once users find and receive access to a resource, they may hold on to access longer than is required. The end result is that a lot of time is wasted and can cause frustration when an employee is not able to be productive in their role.

Entitlement management can help address these challenges. This service can control who can gain access to applications, groups, Teams and SharePoint sites, with multi stage approval, and ensure users don’t retain access indefinitely through time limited assignments and recurring access reviews. You can give users access automatically to those resources, based on the user’s properties like department or cost centre, and remove a user’s access when those properties change. You can delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request.

When a user who isn’t yet in your directory requests access, and is approved, they’re automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed. We need to ensure that we grant employees the right level of access they need to be productive and remove their access when it’s no longer needed.

Pre-requisites
To use entitlement management, you must have one of the following licenses:

  1. Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses (Entra Governance provides additional capabilities compared to Entra ID P2. Visit the following link for a comparison. Entra ID Licenses Comparison
  2. Enterprise Mobility + Security (EMS) E5 license

    Prerequisite role:
  1. Global administrator or Identity Governance Administrator


Configuring Entitlement Management Step by Step

Now that we have a basic understanding of Entitlement Management, let’s go through and create an access package and allow a user to access the package.

  1. Login to entra.microsoft.com or access portal.azure.com. For the purpose of this post, I will be using entra.microsoft.com

  2. From the left pane, expand Identity > Identity Governance > Click Entitlement Management


3. We first create a catalog but what is the purpose of a catalog? Let’s find out.

A catalog serves as a container for resources and access packages. When you want to group related resources and access packages together, you create a catalog. The person who creates the catalog becomes its initial owner. The resources we will add later in this post must exist inside a catalog. Let’s create an empty catalog for now and cover the rest later.

Click Catalogs and Click +New Catalog


4. I’ll be creating a catalog for the Sales team

I will be enabling this catalog and enabling access for internal and external users so users from external directories can also request access. You could also disable this catalog until you are ready to publish. This will ensure that it’s not visible to users until you are ready.


5. Click Create and an empty catalog will be deployed in a few seconds. The catalog includes no access packages and resources for now.

6. Now we add resources to the catalog. The resources can include applications, SharePoint sites and Groups. There is a new addition coming soon at the time of writing this post, and that’s the capability to add Microsoft Entra Roles. Access the Sales Catalog created earlier.

7. From the left pane, click resources


8. Click + Add Resources


9. For the purpose of this demo, I’ll be adding a Group, Application and a SharePoint site.


Note: Groups synced from on-premises can not be added as a resource

10. When done, click the Add button found towards the left bottom corner.

11. Allow the resources to be added. This takes a few seconds


12. Now that I have added the resources to the catalog and because I was the one who created the catalog, I become the owner by default. I will now add another owner to the catalog so I can share the responsibility with a group of owners.

From the left pane, click Roles and Administrators


13. I have the options to add different admins to a number of roles, including, catalog owner, catalog reader, add access package manager and add access package assignment manager.

I’ll be adding another catalog owner, click + Add catalog owner


14. For the purpose of this demo, I’ll be adding an existing group of users

15. If there is a need to disable or enable the Catalog so it is not visible to users, or if you wish to change the description, click the overview option available in the left pane.


Create Access Package

16. Now we need to advertise and make our catalog available to users. This is where we introduce an access package. From the left pane, click Access package and + New access package


17. Give your access package a name, for the purpose of this demo, I’ll be naming the access package Sales Access Package.

18. Give the access package a suitable description

19. Click Next: resource roles

20. Next, I click Groups and Teams and the one group I added to the catalog should be visible. At this point you can set the role for the group. For example, a user who requests access to this package will become an owner of the group or member. I’ll be selecting Member.

Note: if you only see the option of owner, you may have selected a dynamic group. The member option is not available by design.


We are also able to configure permissions for the other resources, SharePoint sites and Apps as shown in the image below.


21. Click applications and the one App I added to the Catalog earlier is visible. Finally I add the SharePoint site from the catalog, as you can see the Catalog includes resources I can select. Similar to going through and shopping for clothes in a catalog. 🙂

Note: if you wish to add more resources at this point, you can enable the option to see all groups and Teams, or all apps, or all SharePoint sites. Below is an example where I can enable a check box to view all Groups and Teams which were not originally added to the Sale Catalog.


21. When ready, click next to move onto the Request tab


22. This is where we configure who in our organisation can request this package, as in access to the SharePoint site, a group and one application. This is known as the policy.

  • For users in your directory
    This option only allows users in your Entra ID to request access.

  • For users not in your directory
    You add a connected organisation for the Microsoft Entra directory or domain you want to collaborate with. A connected organisation is another organisation that you have a relationship with. In order for the users in that organisation to be able to access your resources, such as your SharePoint Online sites or apps, you’ll need a representation of that organisation’s users in that directory. Because in most cases the users in that organisation aren’t already in your Microsoft Entra directory, you can use entitlement management to bring them into your Microsoft Entra directory as needed.

  • None (administrator direct assignments only)
    Administrators will need to verify that the users are eligible for that access package based on the existing policy requirements. Otherwise, the users won’t successfully be assigned to the access package.

23. I select For users in your directory


24. After enabling the option in step 23 above, a further option to select users or groups who can request this package becomes available. As shown in the image below.


25. Click the option + Add users and groups

26. Select a group of users who will be allowed to request access to this package. This could include groups created in Entra ID or synced from on-premises. You can also configure whether guests are allowed or excluded from requesting this package.

27. Next, I configure require approval to Yes, which makes further approval options visible. When users request for this package, someone in the organisation can review and approve/deny access. I’ll be configuring approvals as per the below,

  • Require approval: Yes
  • Require requester justification: Users must provide a justification to request an access package. Justification is visible to other approvers and the requestor.
  • How many stages: How many people in your organisation need to approve before the package/resources are made available to the user requesting access. I could have one, two or three people approve access before the package is made available to the user.

28. For the purpose of this demo, I require one approver and that approver will be me. It is recommended to add a group instead of an individual user as an approver.

We could also select the user’s manager to approve access. A manager must be added to the users account for this to work.


29. The next option is, Decision must be made in how many days? this is set to 14 days by default.

The approver must review and make a decision within 14 days. If a request is not approved within this time period, it will be automatically rejected. Minimum is one day and maximum 14 days. Feel free to lower the days as needed.

30. Next option: Require approver justification – The approver must provide a justification for their decision. Justification is visible to other approvers and the requestor.


31. Click Show advanced request setting

A further option: If no action taken, forward to alterative approver

This option allows the approval request to be forwarded to an alternative approver if the original approver does not respond on time.


32. Finally, we have the choice to enable or disable new requests. When disabled, no new requests can be made using this policy. Select Yes to enable this access package to be requested as soon as it’s created.


Required Verified IDs: this is a feature which requires a Microsoft Entra ID Governance license. Sometimes you may want users to present additional identity proofs during the request process such as a training certification, work authorisation, or citizenship status. As an access package manager, you can require that requestors present a verified ID containing those credentials from a trusted issuer. Approvers can then quickly view if a user’s verifiable credentials were validated at the time that the user presented their credentials and submitted the access package request. As an access package manager, you can include verified ID requirements for an access package at any time by editing an existing policy or adding a new policy for requesting access. I published a post about Verified ID at the following link, What is Microsoft Entra Verified ID? | Cloud Build

33. Next, we move onto the Requester information tab. If needed we can ask questions to collect more information from the requestor and specify whether the question is mandatory or optional.


34. Click next to move to the lifecycles tab.

On the Lifecycle tab, you specify when a user’s assignment to the access package expires. You can also specify whether users can extend their assignments and if further approval is required. In the Expiration section we have the following options.

  • Access package assignments expire 
    We can set to number of days, number of hours, a particular date or never expires.

  • Assignments expire after number of days.
    Depending on the option set above, this field changes. I selected Number of days, therefore, I need to specify the number of days before access expires for the user.

  • Users can request specific timeline
    If enabled, users requesting this access package will be able to submit a custom start or end date for their access. Their request cannot extend beyond the timeline defined in the policy for the access package.

  • Allow users to extend an access
    When enabled, users will be able to request extension of their access to this package before their access expires.

  • Require approval to grant extension
    If an extension is requested, same approval settings used to approve initial access will apply.

  • Require access reviews
    When switched to Yes, further options are visible as shown in the image below. To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in entitlement management. You can enable reviews when you create a new access package or edit an existing access package assignment policy. Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses are required for all approvers. Approvers can include Global administrator, Identity Governance administrator, Catalog owner, or Access package manager.

    I have set access reviews to no for the purpose of this demo


35. Finally, we move to the last tab, Custom Extensions

Custom extension are part of the Entra ID Governance license.

Custom extensions allows the use of Logic Apps to automate certain tasks. For example, you could use custom extensibility and an Azure Logic App to automatically send notifications to end users on Microsoft Teams when they receive or are denied access to an access package. Or a user is sent a custom email, for example a company wants to send an email to the sales team when a user is granted the sales team access package, so they are aware that a new sales member has joined the team. Or when a new user is approved for access to the Sales team Access Package, a Logic App is automatically triggered which also assigns that person to the appropriate deals and contacts within Sales Force. Likewise, when someone is removed from the Access Package, a different Logic App is automatically triggered and does the reassignment for the Salesforce artifacts they were responsible for. Automating these processes allows the team to focus more on getting actual work done rather than managing access. And more!


36. Click Review and Create.

Review your choices and click create.

In the next post we will go through the process of requesting the access package as a user and go through the approval process. Click the following link to continue, Microsoft Entitlement Management – Request Access to an Access Package | Cloud Build.

Microsoft Entitlement Management – Request Access to an Access Package

Posted on by Imran Rashid
Reading Time: 3 minutes


In the previous post I went through the process of creating an access package step by step. I would recommend having a read at the following link, Microsoft Entitlement Management – Create an Access Package | Cloud Build

In this post, I will perform the steps as an internal requestor named Patti Fernandez and request access to the newly created access package created as part of the previous blog post.

  1. Open your access package


2. From the left pane click Overview


3. You could request access via the unique access link available under the field My Access portal link


4. Or the user requesting access could visit https://myaccess.microsoft.com

Previously I created a package and granted a group permission which included a user named Patti Fernandez

I visit https://myaccess.microsoft.com and login as Patti Fernandez

5. From the left pane, click Access packages


6. and there is the Sales Access Package I created earlier. Under the column Actions, click Request.


7. Before clicking continue, I have the opportunity to check the resources I will be granted access to by clicking the Resources tab. I can also copy the link and share with a colleague.

Click continue


8. As per my request policy I configured earlier, I am asked to provide a justification. I also allowed users to specify if they require access to a package between certain dates so the option is available for the requester if they wish to input a custom date.

Click Submit Request


9. I now need to wait for approval. Why? because I specified that approval was required before a user could gain access to the package. The approver was me. I’ll receive an email to notify me a request is pending approval.


10. I login to https://myaccess.microsoft.com as the approver

11. From the left pane, click Approvals.


12. Review the access and approve or deny. Click Submit


The user is granted access to the resources I specified in the access package.

I hope you found this post useful. See you at the next post.