FREE Office 365 Security Health Check
CONTACT US
CONTACT US

VMHOSTS NEWS

Microsoft to Close Conditional Access Loophole in Entra ID Sign‑Ins

Microsoft Entra ID has closed a Conditional Access loophole by ensuring policies are re-evaluated during step-up authentication, strengthening protection for sensitive applications within active sessions.
BACK TO ALL POSTS
BACK TO HOME

Hopefully you are using Entra ID’s Conditional Access policies right now. They’re brilliant tools! Think of them as digital bouncers, checking users against rules you set. For example; requiring Multi-Factor Authentication (MFA) or blocking access from suspicious locations before granting entry to company emails, documents, or applications.

However there was a loophole! It involved how Entra ID handled “step-up authentication”. Imagine Karen in accounting logging in initially with her username and password (maybe on her phone). Entra ID applied your Conditional Access policies and let her in. Later, she accesses a super-sensitive payroll app requiring a stronger credential, like a FIDO2 security key. Here’s where the loophole existed: Entra ID would prompt Karen for that stronger key, but crucially, it didn’t re-evaluate the Conditional Access policies a second time. It assumed that since she was already in, she was good to go anywhere within that session, even if your policies should have blocked access to payroll based on her current context (like her location or device state).

This created potential risk: if Karen’s initial device or connection was compromised (e.g., malware infection), an attacker could potentially use her existing session state to bypass Conditional Access rules aimed at protecting that highly sensitive application, even after she provided strong proof it was her.

The good news? Microsoft have nicely plugged this gap. Entra ID now re-evaluates Conditional Access policies whenever authentication is elevated within an existing session. So, when Karen steps up to use her security key for that payroll app, Entra ID runs through your security rules again at that point. It double-checks Karen’s location, device compliance status, and any other rules you have, BEFORE letting her near the sensitive data.

VMhosts always recommend Conditional Access policies and making the most of the features which come with your Microsoft 365 Licensing and now this loophole is closed its even more secure. Check with your IT team if you are as secure as you can be!

READ OUR LATEST BLOG POSTS & articles

Microsoft to Close Conditional Access Loophole in Entra ID Sign‑Ins

Microsoft Entra ID has closed a Conditional Access loophole by ensuring policies are re-evaluated during step-up authentication, strengthening protection for sensitive applications within active sessions.
READ MORE

How Do You Choose the Right MSP for a Financial Services Firm in the South East UK?

The 6 critical areas to evaluate…
READ MORE

Microsoft Scheduling Assistant – how to guide

Our helpful instructions will guide you through how to use this time-saving tool, enabling you find the perfect meeting time.
READ MORE

FREE Office 365 Security Health Check

As businesses move to agile mobile solutions such as Office 365, cyber criminals are exploiting this choice, to many Office 365 is new technology platform. Once a business has migrated key services to these always on services they become dependent on their availability and make the assumption the platform is secure by default.

FIND OUT MORE