Is Entra PIM’s Authentication Context Bypassable with Certain Browsers?

By
Keven Krok
-
0
14
Asked By TechyTurtle42 On

I've noticed a concerning issue with Entra PIM's Conditional Access policies for authentication contexts. When using Microsoft Edge on Windows or Safari on iOS, the requirement to reauthenticate each time works just fine. However, if I switch to third-party browsers like Brave or Firefox Focus, it seems to ignore this rule and allows PIM access without prompting for new authentication. I came across a previous discussion about a similar problem, but it seems like the issue was claimed to have resolved itself. I can still replicate this issue consistently. Is this a bug or an oversight? It makes me worried about the security implications if this feature relies on user choice of browser.

5 Answers

Answered By SecurityGuru88 On

Are you sure that you're actively enforcing the authentication context with a Conditional Access policy? I had a similar situation where the policy didn't seem effective because the UI wasn't properly showing its status. Also, checking the sign-in logs or the browser's developer tools might give some clues about what's going wrong.

Answered By CautiousAdmin On

Honestly, I believe the best approach with PIM is to stick to strong conditional access policies instead of relying on authentication contexts. It minimizes headaches down the line. We implement CAPs to enforce strict authentication for certain accounts and use authentication contexts to add an extra layer against on-device hijacking.

Answered By BrowserWatchDog On

I did a quick check and noticed that with Brave, there’s no prompt for reauthentication. It’s concerning that browser choice can impact authentication.

Answered By AnonymousWatcher On

Have you considered blocking unknown browsers? It might help with some of these issues.

Answered By EagerLearner On

I completely get where you're coming from with your concerns. We try to combine various measures like PIM approver requirements and advanced detections to reinforce security while making sure legit users aren’t affected. We have to prevent privilege escalation but without causing too much friction for everyone else.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.