Conditional Access: Resilience defaults
If there was an outage of the primary authentication service, the Microsoft Entra Backup Authentication Service can automatically issue access tokens to applications for existing sessions. This functionality significantly increases Microsoft Entra resilience, because reauthentications for existing sessions account for more than 90% of authentications to Microsoft Entra ID. The Backup Authentication Service doesn't support new sessions or authentications by guest users.
For authentications protected by Conditional Access, policies are reevaluated before access tokens are issued to determine:
- Which Conditional Access policies apply?
- For policies that do apply, were the required controls are satisfied?
During an outage, not all conditions can be evaluated in real time by the Backup Authentication Service to determine whether a Conditional Access policy should apply. Conditional Access resilience defaults are a new session control that lets admins decide between:
- Whether to block authentications during an outage whenever a policy condition can’t be evaluated in real-time.
- Allow policies to be evaluated using data collected at the beginning of the user’s session.
Important
Resilience defaults are automatically enabled for all new and existing policies, and Microsoft highly recommends leaving the resilience defaults enabled to mitigate the impact of an outage. Admins may disable resilience defaults for individual Conditional Access policies.
How does it work?
During an outage, the Backup Authentication Service will automatically reissue access tokens for certain sessions:
Session description | Access granted |
---|---|
New session | No |
Existing session - No Conditional Access policies are configured | Yes |
Existing session - Conditional Access policies configured and the required controls, like MFA, were previously satisfied | Yes |
Existing session - Conditional Access policies configured and the required controls, like MFA, weren't previously satisfied | Determined by resilience defaults |
When an existing session expires during a Microsoft Entra outage, the request for a new access token is routed to the Backup Authentication Service and all Conditional Access policies are reevaluated. If there are no Conditional Access policies or all the required controls, such as MFA, were previously satisfied at the beginning of the session, the Backup Authentication Service issues a new access token to extend the session.
If the required controls of a policy weren't previously satisfied, the policy is reevaluated to determine whether access should be granted or denied. However, not all conditions can be reevaluated real time during an outage. These conditions include:
- Group membership
- Role membership
- Sign-in risk
- User risk
- Country/region location (resolving new IP or GPS coordinates)
Resilience defaults enabled
When resilience defaults are enabled, the Backup Authentication Service uses data collected at the beginning of the session to evaluate whether the policy should apply in the absence of real-time data. By default, all policies have resilience defaults enabled. The setting might be disabled for individual policies when real-time policy evaluation is required for access to sensitive applications during an outage.
Example: A policy with resilience defaults enabled requires all users assigned a privileged role accessing Microsoft Admin portals to do MFA. Before an outage, if a user who isn't assigned an administrator role accesses the Azure portal, the policy wouldn't apply, and the user would be granted access without being prompted for MFA. During an outage, the Backup Authentication Service would reevaluate the policy to determine whether the user should be prompted for MFA. Since the Backup Authentication Service cannot evaluate role membership in real-time, it would use data collected at the beginning of the user’s session to determine that the policy should still not apply. As a result, the user would be granted access without being prompted for MFA.
Resilience defaults disabled
When resilience defaults are disabled, the Backup Authentication Service won't use data collected at the beginning of the session to evaluate conditions. During an outage, if a policy condition can’t be evaluated in real-time, access is denied.
Example: A policy with resilience defaults disabled requires all users assigned a privileged role accessing Microsoft Admin portals to do MFA. Before an outage, if a user who isn't assigned an administrator role accesses the Azure portal, the policy wouldn't apply, and the user would be granted access without being prompted for MFA. During an outage, the Backup Authentication Service would reevaluate the policy to determine whether the user should be prompted for MFA. Since the Backup Authentication Service cannot evaluate role membership in real-time, it would block the user from accessing the Azure Portal.
Warning
Disabling resilience defaults for a policy that applies to a group or role will reduce the resilience for all users in your tenant. Since group and role membership cannot be evaluated in real-time during an outage, even users who do not belong to the group or role in the policy assignment will be denied access to the application in scope of the policy. To avoid reducing resilience for all users not in scope of the policy, consider applying the policy to individual users instead of groups or roles.
Testing resilience defaults
It isn't possible to conduct a dry run using the Backup Authentication Service or simulate the result of a policy with resilience defaults enabled or disabled at this time. Microsoft Entra conducts monthly exercises using the Backup Authentication Service. The sign-in logs display if the Backup Authentication Service was used to issue the access token. In Identity > Monitoring & health > Sign-in Logs blade, you can add the filter "Token issuer type == Microsoft Entra Backup Auth" to display the logs processed by Microsoft Entra Backup Authentication service.
Configuring resilience defaults
You can configure Conditional Access resilience defaults from the Microsoft Entra admin center, MS Graph APIs, or PowerShell.
Azure portal
- Navigate to the Microsoft Entra ID > Security > Conditional Access
- Create a new policy or select an existing policy
- Open the Session control settings
- Select Disable resilience defaults to disable the setting for this policy. Sign-ins in scope of the policy are blocked during a Microsoft Entra outage
- Save changes to the policy
Microsoft Graph APIs
You can also manage resilience defaults for your Conditional Access policies using the MS Graph API.
Sample request URL:
PATCH https://microsoftgraph.chinacloudapi.cn/beta/identity/conditionalAccess/policies/policyId
Sample request body:
{
"sessionControls": {
"disableResilienceDefaults": true
}
}
PowerShell
This patch operation can be deployed using Microsoft PowerShell after installation of the Microsoft.Graph.Authentication module. To install this module, open an elevated PowerShell prompt and execute
Install-Module Microsoft.Graph.Authentication
Connect to Microsoft Graph, requesting the required scopes:
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes 'Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All'
Authenticate when prompted.
Create the JSON body for the PATCH request:
$patchBody = '{"sessionControls": {"disableResilienceDefaults": true}}'
Execute the patch operation:
Invoke-MgGraphRequest -Method PATCH -Uri https://microsoftgraph.chinacloudapi.cn/beta/identity/conditionalAccess/policies/<PolicyID> -Body $patchBody
Recommendations
Microsoft recommends enabling resilience defaults. While there are no direct security concerns, customers should evaluate whether they want to allow the Backup Authentication Service to evaluate Conditional Access policies during an outage using data collected at the beginning of the session as opposed to in real time.
It's possible that a user’s role or group membership changed since the beginning of the session. With Continuous Access Evaluation (CAE), access tokens are valid for 24 hours, but subject to instant revocation events. The Backup Authentication Service subscribes to the same revocation events CAE. If a user’s token is revoked as part of CAE, the user is unable to sign in during an outage. When resilience defaults are enabled, existing sessions that expire during an outage will be extended. Sessions are extended even if the policy was configured with a session control to enforce a sign-in frequency. For example, a policy with resilience defaults enabled might require that users reauthenticate every hour to access a SharePoint site. During an outage, the user’s session would be extended even though Microsoft Entra ID might not be available to reauthenticate the user.