BIO 09.04.02 ISO A.5.15

Authentication Contexts Design

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Authentication Contexts Schakel in granular, resource-specific authentication requirements (step-up auth) voor sensitive operations binnen applications.

Aanbeveling
OVERWEEG AUTHENTICATION CONTEXTS
Risico zonder
Medium
Risk Score
6/10
Implementatie
24u (tech: 12u)
Van toepassing op:
βœ“ Azure AD
βœ“ voorwaardelijke toegang

Traditional voorwaardelijke toegang past toe bij application level (all SharePoint users need MFA). Authentication Contexts Schakel in GRANULAR Vereisten: viewing SharePoint document is passwordless OK, editing Confidential document is phishing-resistant MFA vereist, deleting site is re-authentication vereist. gebruiken cases: (1) SharePoint - Different auth requirements per sensitivity label (view Public is enige auth, edit Confidential is FIDO2 vereist), (2) Privileged operations - Deleting data, changing permissions, financial approvals require step-up auth, (3) Compliance - Auditors access audit logt vereist phishing-resistant MFA. Authentication Contexts bieden nul Trust granularity - not slechts "who" maar "what are they doing" determines auth requirements.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

Authentication Context design: Maak aan contexts (C1=High-Value-Data-Access, C2=Privileged-Operations, C3=Financial-Approvals), Map to Conditional Access beleidsregels (Context C1 is phishing-resistant MFA vereist), Applications tag resources met contexts (SharePoint labels Confidential documents met C1), Users attempting context-beschermde actions krijgen step-up auth prompt. implementeren via: Azure AD β†’ voorwaardelijke toegang β†’ Authentication context definitions.

Vereisten

  1. Azure AD Premium P1 (P2 aanbevolen)
  2. Applications met Authentication Context ondersteunen (SharePoint, aangepaste apps via APIs)
  3. Phishing-resistant MFA deployed (FIDO2, Windows Hello, Certificate-based)
  4. Sensitivity labels (for SharePoint context scenarios)
  5. User training: Understanding step-up auth prompts

Implementatie

Gebruik PowerShell-script authentication-contexts.ps1 (functie Invoke-Remediation) – Authentication Contexts deployment.

  1. Define contexts: Azure AD β†’ voorwaardelijke toegang β†’ Authentication context
  2. Maak aan CA policies per context: Context C1 β†’ Require phishing-resistant MFA
  3. Tag resources: SharePoint sensitivity labels β†’ Authentication context C1
  4. Test thoroughly: Pilot users, Verifieer step-up prompts, Controleer gebruikerservaring
  5. Production rollout: Phased approach, monitoren auth failures

Monitoring

Gebruik PowerShell-script authentication-contexts.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Step-up auth events in Azure AD sign-in logs
  2. Context evaluation failures (blocked access)
  3. User feedback op auth friction
  4. Compliance: High-value resources protected?

Compliance en Auditing

  1. BIO 9.04 - Authentication management
  2. ISO 27001:2022 A.5.15 - Toegangscontrole en authenticatie (granular permissions)
  3. Zero Trust Architecture - Resource-based authentication

Remediatie

Gebruik PowerShell-script authentication-contexts.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Authentication Contexts Design .DESCRIPTION Implementation for Authentication Contexts Design .NOTES Filename: authentication-contexts.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/authentication-contexts.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Authentication Contexts Design" $BIOControl = "9.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "authentication-contexts" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: All resources same auth requirements = over-authentication (friction) of under-authentication (security gaps). Authentication Contexts = right-sized auth per sensitivity. Advanced feature. Het risico is medium - granularity improvement.

Management Samenvatting

Authentication Contexts: Granular auth requirements per resource sensitivity - Sensitive operations require step-up auth (FIDO2 re-authentication), Normal operations allow convenient auth (passwordless), Context-aware policies (M365 apps call specific auth contexts). Vereist: Azure AD P1 + app integration. Activatie: Entra ID β†’ CA β†’ Auth contexts definition β†’ App integration. Gratis (P1 included). Implementatie: 12-24 uur. ADVANCED Zero Trust - only mature identity programs. Complex implementation.