July 30, 2025

Conditional Access vs Identity: Who Actually Decides?

Conditional Access vs Identity: Who Actually Decides?

Your best Microsoft 365 security signal isn’t the login—it’s what the identity does next. Wire Conditional Access (the gatekeeper) to listen to Defender for Identity (the watcher), and you’ll auto-raise friction when behavior turns risky—shrinking dwell time, false positives, and your midnight pager duty.

Spreaker podcast player badge
Apple Podcasts podcast player badge
Spotify podcast player badge
Youtube Music podcast player badge
iHeartRadio podcast player badge
Amazon Music podcast player badge
Deezer podcast player badge
Podcast Addict podcast player badge
Podchaser podcast player badge
Spreaker podcast player icon Apple Podcasts podcast player icon Spotify podcast player icon Youtube Music podcast player icon iHeartRadio podcast player icon Amazon Music podcast player icon Deezer podcast player icon Podcast Addict podcast player icon Podchaser podcast player icon
Security Talk

From Gatekeeper to Watcher: How to Fuse Conditional Access with Defender for Identity for Real Identity Resilience

The Core Idea (TL;DR)

  • Conditional Access (CA) is your bouncer. Great at pre-auth decisions.

  • Defender for Identity (DfI) is your CCTV+floor security. Great at post-auth behavior.

  • Real resilience happens when post-auth risk raises pre-auth friction automatically—in-session.

Mental Model

  • Gatekeeper (CA): Who, where, device posture, risk-at-sign-in, session controls.

  • Watcher (DfI + M365 Defender): Lateral movement, abnormal resource access, Kerberoasting/NTLM abuse, privilege hunting.

  • Feedback loop: Watcher flags behavior → raises user risk / session risk → Gatekeeper tightens controls (MFA/step-up, block, restrict session).

Integration Blueprint (what to enable, in order)

  1. Risk-aware CA (baseline)

    • Entra ID Protection: turn on User risk & Sign-in risk evaluation.

    • Create CA policies:

      • Block when User risk = High (or Require password change if your helpdesk can support it).

      • Require MFA when Sign-in risk ≥ Medium.

      • Require compliant device for medium+ sensitivity apps; use device filters for unmanaged devices to route to session controls.

  2. Let the watcher talk to the gatekeeper

    • Ensure DfI is streaming alerts into Microsoft 365 Defender and Sentinel (if used).

    • Automate “Confirm compromised” on users for certain DfI alerts (below). This sets User risk = High in Entra ID Protection → CA reacts.

      • Automation path: M365 Defender Incident → Logic App/Power Automate → Graph Security/Identity Protection API (/riskDetections, /riskyUsers:confirmCompromised) → optional Force sign-out.

    • Turn on Continuous Access Evaluation (CAE) on apps you can (Exchange/SharePoint/Graph) so policy changes cut live tokens.

  3. Session control for containment

    • For unmanaged/risky sessions, use Defender for Cloud Apps (session proxy) from CA:

      • CA → Use Conditional Access App Control (monitor first, then block exfil: download, cut/copy, paste, print, sync).

    • Pair with MDE device risk → Intune compliance → CA “Require compliant device” for sensitive apps.

  4. Privileged identity guardrails

    • PIM enforce Just-in-Time; require MFA + compliant device + no risky user for elevation.

    • CA policy “Block privileged roles if user risk ≥ Low” (yes, Low) to force triage before elevation.

“If This, Then That”: Map DfI Signals to CA Actions

DfI / M365 Defender signal Example detection Automated response
Suspected lateral movement (SMB/NTLM anomalies, unusual Kerberos TGS spray) Multiple service tickets from non-admin, out-of-pattern Confirm user compromised → CA blocks (User risk=High) → Invalidate refresh tokens
Unusual resource access (sudden SharePoint site crawl, bulk file access) Spike in unique sites & downloads vs user baseline CA step-up MFA + route to App Control (no download/print) for 24–72h
Credential theft techniques (Pass-the-Hash/Pass-the-Ticket) DfI security identity alert Block + require password reset; device isolate via MDE; disable legacy protocols on offending endpoints
Privileged role misuse New admin portal accesses after-hours Auto-expire PIM assignment; CA blocks re-login until investigation complete

Start in audit/monitor for 1–2 weeks, then flip responses to enforce per alert class.

Sample Policies (practical, minimal)

  1. Block when user risk = High

  • Assign: All users (exclude break-glass), All cloud apps

  • Conditions: User risk = High

  • Grant: Block access

  1. Step-up on sign-in risk

  • Assign: All users, High-value apps (Admin portals, Exchange, SharePoint, Entra)

  • Conditions: Sign-in risk ≥ Medium

  • Grant: Require MFA + Require compliant device (or Managed device)

  1. Session contain unmanaged

  • Assign: All users, SharePoint/OneDrive/Teams

  • Device state: Hybrid/Compliant = bypass; Unmanaged = enforce

  • Session: Use Conditional Access App Control (Block downloads)

  1. Privileged elevation guard

  • Assign: Directory roles = Privileged roles

  • Conditions: User risk ≥ Low OR Sign-in risk ≥ Medium

  • Grant: Require MFA + Require compliant device; Block if risk ≥ High

Automation Playbooks (ready-to-wire)

Playbook A: DfI high-severity alert → Contain identity

  • Trigger: M365 Defender incident with tag IdentityThreatHigh

  • Actions:

    1. Graph – confirm user compromised (set User risk High)

    2. Entra – revoke refresh tokens

    3. Intune/MDE – device isolate (if single primary device)

    4. ServiceNow/JSM – create ticket with timeline + artifacts

    5. Notify SOC + owner via Teams adaptive card (one-click rollback if FP)

Playbook B: Anomalous SharePoint access burst

  • Trigger: Defender alert “Unusual file download”

  • Actions:

    1. Tag user UnderInvestigation (AAD extension attribute)

    2. Flip user to CA policy that routes to App Control (no download/print)

    3. Launch eDiscovery hold on affected sites (optional)

    4. Auto-expire containment in 72h unless SOC extends

Hunting & Useful Queries

M365 Defender (Advanced Hunting)

// Spike in SharePoint site access by a user vs 30-day baseline let lookback=30d; let recent=1h; let baseline = CloudAppEvents | where Timestamp between (ago(lookback) .. ago(recent)) | where Application == "SharePoint" and ActionType == "FileAccessed" | summarize uniqSites=dcount(SiteUrl) by AccountUpn; CloudAppEvents | where Timestamp >= ago(recent) | where Application == "SharePoint" and ActionType in ("FileDownloaded","FileAccessed") | summarize curSites=dcount(SiteUrl), dls=sumif(1, ActionType=="FileDownloaded") by AccountUpn | join kind=leftouter baseline on AccountUpn | where curSites > 3 * coalesce(uniqSites,1) or dls > 500

Sign-in risk spikes tied to later DfI alerts

let riskySignIns = IdentityLogonEvents | where RiskLevelDuringSignIn in ("medium","high") | project AccountUpn, Timestamp, RiskLevelDuringSignIn; let dfiAlerts = IdentityDirectoryEvents | where EventType startswith "DefenderForIdentity" | project AccountUpn, DfiTime=Timestamp, AlertType=EventType; riskySignIns | join kind=inner dfiAlerts on AccountUpn | where DfiTime between (Timestamp .. Timestamp + 4h)

Metrics That Prove It Works

  • Mean Time To Contain (MTTC) identity (alert → CA enforcement) ↓

  • Attacker dwell time (first suspicious action → remediation) ↓

  • Blocked risky sessions (policy-fired events) ↑ while false-positive rate

  • Risky users backlog age (open > 24h) ↓

  • Token revocation latency (sec) ↓

  • Privileged elevation failures due to risk (caught early) ↑ then normalize

  • Secure Score (Identity/Device/Apps) ↑ with no helpdesk ticket spike

30/60/90 Rollout

Days 0–30 (Foundations)

  • Enable Entra User/Sign-in risk & CA baseline policies (audit → enforce).

  • Onboard DfI to M365 Defender; validate alerts & entities.

  • Turn on CAE for supported apps; integrate MDE risk → Intune compliance.

Days 31–60 (Feedback & Containment)

  • Build Playbooks A & B (above) in Logic Apps; start in dry-run.

  • Pilot App Control for unmanaged sessions with 2–3 teams.

  • Add PIM elevation guardrail policy.

Days 61–90 (Enforce & Measure)

  • Flip playbooks to enforce for high-confidence alerts.

  • Stand up an identity security workbook (Sentinel/Power BI) with the metrics list.

  • Quarterly purple-team drill: validate MTTC, token revoke, and CA flips in live fire.

Common Pitfalls (and safer defaults)

  • Pitfall: Only using CA’s sign-in risk → Fix: Also react to user risk and DfI alerts.

  • Pitfall: No CAE → stale tokens keep risky sessions alive → Fix: Enable CAE, build revoke tokens into playbooks.

  • Pitfall: Blocking downloads broadly → user revolt → Fix: Use App Control only on unmanaged or risky.

  • Pitfall: FP storms from aggressive auto-”compromised” → Fix: Gate with multi-signal (DfI high + unusual download + off-hours).

  • Pitfall: Break-glass accounts locked by risk → Fix: Exclude two monitored break-glass accounts; rotate quarterly.

Copy/Paste Artifacts

CAB one-liner for execs

We’ve connected post-login behavior to access decisions. If an account acts unusually, we add friction or block in-session. That shrinks attacker dwell time without slowing normal work.

Change note for admins

  • New CA policies may prompt step-up MFA or block when risk rises. Tokens can be revoked mid-session. Break-glass accounts excluded. Monitor Identity Resilience workbook for impact.

Owner-friendly Teams card (auto)

  • “We noticed unusual file activity on your account. We applied temporary protections (no download on unmanaged). If this was you, click Acknowledge; otherwise click Report.”