Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If the primary authentication service is unavailable, the Microsoft Entra Backup Authentication Service automatically issues access tokens to applications for existing sessions. This functionality significantly improves Microsoft Entra resilience because reauthentications for existing sessions account for more than 90% of authentications to Microsoft Entra ID. The Backup Authentication Service doesn't support new sessions or authentications by guest users.
For authentications protected by Conditional Access, policies are reevaluated before access tokens are issued to determine:
- Which Conditional Access policies apply?
- For policies that do apply, are the required controls satisfied?
During an outage, the Backup Authentication Service can't evaluate all conditions in real time to determine whether a Conditional Access policy applies. Conditional Access resilience defaults are a new session control that let admins decide between:
- Whether to block authentications during an outage whenever a policy condition can’t be evaluated in real-time.
- Allow policies to be evaluated using data collected at the beginning of the user’s session.
Important
Resilience defaults are automatically enabled for all new and existing policies. Microsoft recommends keeping the resilience defaults enabled to reduce the impact of an outage. Admins can disable resilience defaults for individual Conditional Access policies.
How does it work
During an outage, the Backup Authentication Service reissues access tokens for specific sessions:
| Session description | Access granted |
|---|---|
| New session | No |
| Existing session - No Conditional Access policies are configured | Yes |
| Existing session - Conditional Access policies configured and the required controls, like MFA, were previously satisfied | Yes |
| Existing session - Conditional Access policies configured and the required controls, like MFA, weren't previously satisfied | Determined by resilience defaults |
When an existing session expires during a Microsoft Entra outage, the request for a new access token routes to the Backup Authentication Service, and all Conditional Access policies are reevaluated. If there are no Conditional Access policies, or if all the required controls, such as MFA, were satisfied at the beginning of the session, the Backup Authentication Service issues a new access token to extend the session.
If the required controls of a policy weren't previously satisfied, the policy is reevaluated to determine whether access should be granted or denied. Not all conditions can be reevaluated in real time during an outage. These conditions include:
- Group membership
- Role membership
- Sign-in risk
- User risk
- Country/region location (resolving new IP or GPS coordinates)
Resilience defaults enabled
When resilience defaults are enabled, the Backup Authentication Service uses data collected at the start of the session to evaluate whether the policy applies without real-time data. By default, resilience defaults are enabled for all policies. You can disable the setting for individual policies when real-time policy evaluation is needed to access sensitive applications during an outage.
Example: A policy with resilience defaults enabled requires all users assigned a privileged role accessing Microsoft Admin portals to do MFA. Before an outage, if a user without an administrator role accesses the Azure portal, the policy doesn't apply, and the user gets access without an MFA prompt. During an outage, the Backup Authentication Service reevaluates the policy to decide whether the user needs an MFA prompt. Because the Backup Authentication Service can't evaluate role membership in real-time, it uses data collected at the start of the user’s session to decide that the policy still doesn't apply. As a result, the user is granted access without being prompted for MFA.
Resilience defaults disabled
When resilience defaults are disabled, the Backup Authentication Service doesn't use data collected at the beginning of the session to evaluate conditions. During an outage, if a policy condition can't be evaluated in real time, access is denied.
Example: A policy with resilience defaults disabled requires all users assigned a privileged role accessing Microsoft Admin portals to complete MFA. Before an outage, if a user who isn't assigned an administrator role accesses the Azure portal, the policy doesn't apply, and the user is granted access without being prompted for MFA. During an outage, the Backup Authentication Service would reevaluate the policy to determine whether the user should be prompted for MFA. Because the Backup Authentication Service can't evaluate role membership in real time, it blocks the user from accessing the Azure portal.
Warning
Disabling resilience defaults for a policy that applies to a group or role reduces resilience for all users in the tenant. Because group and role membership can't be evaluated in real time during an outage, even users who don't belong to the group or role in the policy assignment are denied access to the application within the scope of the policy. To avoid reducing resilience for all users not within the scope of the policy, apply the policy to individual users instead of groups or roles.
Testing resilience defaults
You can't conduct a dry run using the Backup Authentication Service or simulate the result of a policy with resilience defaults enabled or disabled. Microsoft Entra runs monthly tests using the Backup Authentication Service. The sign-in logs indicate if the Backup Authentication Service issued the access token. In Entra ID > Monitoring & health > Sign-in Logs, add the filter "Token issuer type == Microsoft Entra Backup Auth" to display the logs processed by Microsoft Entra Backup Authentication Service.
Configuring resilience defaults
Set up Conditional Access resilience defaults using the Microsoft Entra admin center, Microsoft Graph APIs, or PowerShell.
Azure portal
- Navigate to the Microsoft Entra ID > Security > Conditional Access
- Create a new policy or select an existing policy
- Open the session control settings.
- Select Disable resilience defaults to disable the setting for this policy. Sign-ins within the scope of the policy are blocked during a Microsoft Entra outage.
- Save changes to the policy.
Microsoft Graph APIs
Manage resilience defaults for your Conditional Access policies using the MS Graph API.
Sample request URL:
PATCH https://microsoftgraph.chinacloudapi.cn/beta/identity/conditionalAccess/policies/policyId
Sample request body:
{
"sessionControls": {
"disableResilienceDefaults": true
}
}
PowerShell
Deploy this patch operation using Microsoft PowerShell after installing the Microsoft.Graph.Authentication module. Install this module by opening an elevated PowerShell prompt and running
Install-Module Microsoft.Graph.Authentication
Connect to Microsoft Graph and request the required scopes:
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes 'Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All'
Sign in when prompted.
Create a JSON body for the PATCH request:
$patchBody = '{"sessionControls": {"disableResilienceDefaults": true}}'
Run the patch operation:
Invoke-MgGraphRequest -Method PATCH -Uri https://microsoftgraph.chinacloudapi.cn/beta/identity/conditionalAccess/policies/<PolicyID> -Body $patchBody
Recommendations
Microsoft recommends enabling resilience defaults. While there aren't direct security concerns, evaluate whether to let the Backup Authentication Service evaluate Conditional Access policies during an outage using data collected at the beginning of the session instead of in real time.
It's possible that a user’s role or group membership changed since the beginning of the session. With Continuous Access Evaluation (CAE), access tokens remain valid for 24 hours but are subject to instant revocation events. The Backup Authentication Service subscribes to the same revocation events CAE. If a user’s token is revoked as part of CAE, the user can't sign in during an outage. When resilience defaults are enabled, sessions that expire during an outage are extended. Sessions are extended even if the policy is configured with a session control to enforce a sign-in frequency. For example, a policy with resilience defaults enabled might require that users reauthenticate every hour to access a SharePoint site. During an outage, the user’s session is extended even though Microsoft Entra ID might not be available to reauthenticate the user.
Next steps
- Learn more about Continuous Access Evaluation (CAE)