Skip to main content
6 min read
Share

Conditional Access is still the engine room of identity security in Entra ID, and Microsoft hasn’t been sitting still in the first half of 2025. A few things that had been sitting in preview for ages have finally gone GA, and there are some new capabilities worth paying attention to. I wanted to round up the changes that actually matter and — more importantly — share my take on what you should be deploying first.

Conditional Access for Workload Identities - GA

About time. Conditional Access for workload identities has finally hit general availability, and it’s a big one. We’ve had decent Conditional Access coverage for user identities for years, but service principals and managed identities? They’ve been a bit of a blind spot.

You can now build Conditional Access policies targeting workload identities, which lets you:

  • Lock down service principal sign-ins to specific trusted network locations
  • Block workload identities flagged as high risk by Identity Protection
  • Scope policies to individual service principals or apply them across the board

The practical upside is obvious. Got service principals with credentials that could be compromised? You can now control where those credentials work from. I’ve lost count of how many breach investigations I’ve seen where a service principal was the way in. This gives us something real to work with.

One thing to watch: you’ll need Workload Identities Premium licences for this. It’s not bundled with Entra ID P1 or P2. Worth factoring into your budget conversations early.

Insider Risk Condition

This one’s quite interesting. Insider risk levels from Microsoft Purview can now be used as a condition in your Conditional Access policies. So if someone gets flagged with an elevated insider risk level, you can automatically enforce things like re-authentication, block access to certain apps, or restrict downloads.

It all connects through Adaptive Protection in Purview, which assigns risk levels — minor, moderate, elevated — based on what users are doing. Those risk levels then feed into Conditional Access as a signal you can act on.

The way I see it, this fills a gap that’s been bugging me for a while. Insider risk findings in Purview used to sit in their own little world, disconnected from access controls in Entra ID. Now they talk to each other. If someone’s behaving like a data exfiltration risk, you can respond automatically rather than waiting for a human to spot it and react.

My take: if you’re already running Purview Insider Risk Management, switch this on. If you’re not, this might be the excuse you needed to look at it properly.

Authentication Strength Policies - New Capabilities

Authentication strength has been around for a bit now, but there are some welcome updates. You can define more granular policies and there’s better support for external authentication methods.

What’s changed:

  • Custom authentication strength policies support a wider set of authentication method combinations than before
  • External authentication methods (EAM) can now sit inside authentication strength definitions — important if you’ve got a third-party MFA provider running alongside Entra ID
  • Passkey (FIDO2) requirements can be scoped to specific FIDO2 key providers using AAGUIDs, which is handy if you want to mandate a particular vendor’s keys

If you’re on the phishing-resistant MFA path (and you really should be), these updates make it much easier to be specific about what counts as acceptable authentication for different scenarios. Maybe any phishing-resistant method is fine for general access, but you want a hardware FIDO2 key specifically for privileged admin operations. You can do that now without any workarounds.

Authentication Context Expansion

Authentication context is the ability to trigger step-up authentication for specific actions inside an app, not just at the point of sign-in. Microsoft’s been widening where this applies, and the first half of 2025 brought some additions I’m quite keen on.

You can now use authentication context with:

  • SharePoint and OneDrive sensitivity labels — opening a file tagged with a particular sensitivity label can kick off additional authentication
  • Defender for Cloud Apps session policies, giving you finer in-session controls
  • Protected actions in Entra ID for high-stakes admin operations

Where Microsoft’s heading with this is pretty clear. They want authentication context everywhere, so you can demand stronger auth at the point of action rather than just at the front door. I’m a fan. Users sail through their normal daily work without friction, but the moment they try to access something sensitive, they get challenged. That’s the right trade-off between security and usability.

What Should You Prioritise?

There’s a lot here and it’s easy to get overwhelmed. Here’s my pragmatic view on ordering:

  1. Workload identity policies — if you’ve got service principals with credentials (and most organisations do), locking them down to known IP ranges is a quick win. Figure out which ones are most critical and start there.
  2. Phishing-resistant MFA for admins — if you haven’t mandated phishing-resistant auth for your administrators yet, the updated authentication strength policies make it pretty straightforward. Global Admins first, then work outward.
  3. Insider risk integration — already using Purview? Connect those insider risk signals to Conditional Access. The setup isn’t complicated and it gives you automated response you didn’t have before.
  4. Authentication context on sensitivity labels — if you’ve got sensitivity labels in SharePoint and OneDrive, tying them to authentication context is a smart way to protect your most sensitive content without slowing everyone else down.

Don’t try to tackle the lot in one go. Pick what addresses your biggest risks and deploy it properly — with testing and comms to your users — rather than rushing through everything and causing chaos.

Wrapping Up

Conditional Access keeps evolving, and the first half of 2025 has brought some genuinely useful improvements. Workload identity policies and the insider risk integration are the two I’d call out as most impactful for the majority of organisations.

And please — test in report-only mode first, review the impact, then flip to enforced. I spent a full afternoon once helping a customer recover from a policy change that locked out a critical service account because nobody thought to check whether it’d be caught by the new rule. Don’t be that team.

If you want to talk through any of these updates or share how the rollout’s going for you, give me a shout.

Conditional Access for Workload Identities

Insider Risk Condition in Conditional Access

Authentication Strength Overview

Authentication Context

Share
Previous & Next
Token Theft - The Threat That Keeps Security Teams Up at Night Entra Private Access - Replacing Your VPN

Related Posts

Entra Internet Access: Secure Web Gateway in the Cloud
7 min read

Entra Internet Access: Secure Web Gateway in the Cloud

Microsoft Entra
Entra ID Governance Lifecycle Workflows - Automating Joiners, Movers, and Leavers
6 min read

Entra ID Governance Lifecycle Workflows - Automating Joiners, Movers, and Leavers

Microsoft Entra
Passkeys in Entra ID: Where Are We Now?
6 min read

Passkeys in Entra ID: Where Are We Now?

Microsoft Entra