Saturday, January 29, 2022

Control Azure AD Conditional Access policy behavior during an Azure AD outage

Must read

Kenneth van Surksum
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

In December last year, Microsoft announced that per April 1, 2021 they updated their service level agreement(SLA) for Azure AD user authentication from 99.9% to 99,99%. While this might seem like a small update in reality it makes a difference of 473 minutes (in a year with 365 days).

With 99.9% the allowed downtime was 525 minutes and with 99.99% this is reduced to 52 minutes. This is still inconvenient though if you experience downtime for let’s say 45 minutes on Monday morning while everyone is starting their work.

One of the techniques that Microsoft rolled out in order to support the new uptime, was the Azure AD Backup Authentication service, which Microsoft describes as the following:

Azure AD Backup Authentication service runs with decorrelated failure modes from the primary Azure AD system. This backup service transparently and automatically handles authentications for participating workloads as an additional layer of resilience on top of the multiple levels of redundancy in Azure AD. You can think of this as a backup generator or uninterrupted power supply (UPS) designed to provide additional fault tolerance while staying completely transparent and automatic to you.

So, what the Azure AD backup authentication service basically does is issuing tokens to applications for existing sessions if there is an outage of the primary authentication service. New sessions, or authentications by guest users are not supported.

Which brings us to Azure AD Conditional Access, since access tokens are re-evaluated by Conditional Access policies before issued. But when the Backup authentication service is used, not all conditions can be evaluated in real time.

Want to know more about Conditional Access, then download my whitepaper on the subject for which the latest version can be found here:

By introducing a new session control in Conditional Access, called “Disable resilience defaults” it’s now possible to let the  policy block authentications in the case that the backup authentication service is active. By default this option is turned off, which means that “in this case” when conditions cannot be evaluated in real time or evaluated with data collected at the beginning of the user’s session that the authentication will not be blocked.

Session control for resilience

The following conditions cannot be reevaluated during an outage:

  • Group Membership
  • Role Membership
  • Sign-in risk
  • User risk
  • Country location

That means that all other conditions, like MFA can be evaluated and those policies will not be impacted by this session. If you want to block based on Sign-in/User risk and don’t want to make concessions even during an outage, then this option is for you.

Microsoft recommends to keep the resilience defaults enabled, in order to mitigate the impact of an outage. But in case you have a high secure environment you might want to consider to use this new session control option to control the behavior during an outage.

Testing the options will be a challenge though 🙂 Which might be a reason to leave the options as-is, in my opinion.

99.99% uptime for Azure Active Directory

Conditional Access: Resilience defaults

More articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest articles