Modern cybersecurity no longer relies on the strength of the network perimeter (the firewall), but on continuous identity verification. It is the foundation of architectureZero Trust. In the Microsoft cloud, this concept is embodied through theConditional Access Policiesfrom Microsoft Entra ID.
However, many companies configure Conditional Access statically (e.g. "Require MFA for everyone"). The real power of this tool lies in its ability to dynamically react to a user's risk level. Discover how the interaction between a SOAR orchestrator (like Akuity) and Conditional Access can automate the containment of a hacked identity.
The concept of risk-based Conditional Access
Entra ID Protection constantly assesses two types of risks:
- Sign-in Risk:Is the current login attempt suspicious? (ex: IP address linked to a Tor node).
- User risk:Is the overall user identity compromised? (ex: His identifiers were found on the Dark Web).
Conditional Access policies allow you to define rules of the type:IF the user's risk level is High, THEN require a secure password change (via Azure AD SSP) or block access entirely.
The operational challenge is this: Microsoft's algorithm can sometimes be conservative and not elevate the risk to "High" quickly enough during a sophisticated attack. This is where humans and SOAR come into play.
The bridge between SOC and Zero Trust: “Confirm Compromised”
When an analyst qualifies a targeted phishing alert in the Akuity SOC Cockpit and becomes confident that the employee entered their credentials on a fraudulent page, they must take action.
From the Akuity remediations tab, the actionConfirmation of compromise (confirmUserCompromised)is the master API command. By clicking on this button (after validating their MFA TOTP AAL2 code), the analyst manually forces the user's status to "High Risk" in the Microsoft databases.
It is this precise action that acts as a switch triggering your pre-configured Conditional Access policies.
How to configure the perfect Conditional Access policy
For the Akuity command to deploy its full defensive potential, you must configure the following emergency response policy in your Microsoft Entra ID portal:
- Policy Name:
Block or Require Password Change on High User Risk - Targeted users:All users (remember to exclude your “Break-glass” emergency accounts!).
- Conditions -> User risk:SelectHigh.
- Access Controls -> Grant:
- Option 1 (Strict): Block access.The compromised user will not be able to log in anywhere until an administrator cleans up their account.
- Option 2 (Self-Service): Grant access, but Require password change.This requires the user to prove their identity via MFA and then create a new strong password before they can resume their work, effectively cutting the rug out from under the attacker.
Traceability of the containment action
Declaring a user compromised is an action with a strong impact on the business. The audit architecture built into Akuity SOC ensures that this decision can never be taken lightly.
Each use of the commandCONFIRMUSERCOMPROMISEDgenerates a standardized JSON log for the SOC 2 standard. This log records the cryptographic identifier (auth.uid()) of the analyst, the exact time of the action, and verification of the assurance level (AAL2), guaranteeing perfect accountability in the event of an internal audit.
Conclusion: Orchestration for Zero Trust
Modern SOAR doesn't replace your native security tools, it drives them. By combining the centralization of Akuity SOC alerts with the powerful mechanisms of Microsoft Conditional Access, you transform your static security rules into a dynamic shield, capable of locking out an attacker in a fraction of a second.
Enable the full power of Zero Trust architecture.> Find out howIdentity Management at Risk Entra IDfrom Akuity SOC manages your Conditional Access rules in one click.