When active, the Backup Authentication Service doesn't evaluate authentication methods required by authentication strengths. Country/region location (resolving new IP or GPS coordinates).However, not all conditions can be reevaluated real time during an outage. If the required controls of a policy weren't previously satisfied, the policy is reevaluated to determine whether access should be granted or denied. If there are no Conditional Access policies or all the required controls, such as MFA, were previously satisfied at the beginning of the session, the Backup Authentication Service issues a new access token to extend the session. When an existing session expires during an Azure AD outage, the request for a new access token is routed to the Backup Authentication Service and all Conditional Access policies are reevaluated.
How does it work?ĭuring an outage, the Backup Authentication Service will automatically reissue access tokens for certain sessions: Session descriptionĮxisting session – No Conditional Access policies are configuredĮxisting session – Conditional Access policies configured and the required controls, like MFA, were previously satisfiedĮxisting session – Conditional Access policies configured and the required controls, like MFA, weren't previously satisfied
Admins may disable resilience defaults for individual Conditional Access policies. Resilience defaults are automatically enabled for all new and existing policies, and Microsoft highly recommends leaving the resilience defaults enabled to mitigate the impact of an outage. Allow policies to be evaluated using data collected at the beginning of the user’s session.Whether to block authentications during an outage whenever a policy condition can’t be evaluated in real-time.Conditional Access resilience defaults are a new session control that lets admins decide between: For policies that do apply, were the required controls are satisfied?ĭuring an outage, not all conditions can be evaluated in real time by the Backup Authentication Service to determine whether a Conditional Access policy should apply.Which Conditional Access policies apply?.The Backup Authentication Service doesn't support new sessions or authentications by guest users.įor authentications protected by Conditional Access, policies are reevaluated before access tokens are issued to determine:
This functionality may significantly increase Azure AD resilience, because reauthentications for existing sessions account for more than 90% of authentications to Azure AD. If there was an outage of the primary authentication service, the Azure Active Directory (Azure AD) Backup Authentication Service may automatically issue access tokens to applications for existing sessions.
0 kommentar(er)
