SOC 2 Azure AD Controls: Conditional Access and PIM

Azure AD in SOC 2 Scope

Microsoft Entra ID (formerly Azure Active Directory) is the identity and access management foundation for Microsoft 365, Azure resources, and thousands of SAML/OIDC-integrated applications. If your company uses Microsoft 365, Azure, or any Microsoft application, Entra ID is in scope for your SOC 2 audit.

Microsoft publishes SOC 2 Type II reports for Azure services via the Microsoft Service Trust Portal (servicetrust.microsoft.com). Download the Azure and Microsoft 365 SOC 2 report to reference in your audit package. Your responsibility includes the Conditional Access policies you configure, how you manage privileged roles, and whether you have enabled the security controls available in your Entra ID tier.

Conditional Access Policies (CC6.1, CC6.6)

Conditional Access is the primary access control mechanism in Entra ID. Navigate to Entra ID → Protection → Conditional Access → Policies. Create the following named policies: (1) "Require MFA for all users" — Assignments: All users, All cloud apps. Access controls: Grant → Require multifactor authentication. This baseline policy ensures no user can access any application without MFA, regardless of location.

(2) "Require compliant device for privileged access" — Assignments: Users in "Azure AD Admins" group, All cloud apps. Conditions: device platform (Windows, macOS, iOS, Android). Access controls: Grant → Require device to be marked as compliant. This ensures admin access only occurs from Intune-managed, policy-compliant devices, satisfying CC6.6 boundary protection. (3) "Block legacy authentication" — Conditions: Client apps → Legacy authentication clients. Access controls: Block. Legacy auth bypasses MFA and is a common attack vector.

(4) "Require MFA for Azure management" — Assignments: All users, Azure Management app. Access controls: Grant → Require MFA. This specifically targets Azure portal, PowerShell, CLI, and ARM access, ensuring cloud console access is always protected by MFA. Enable named Conditional Access policies by disabling Security Defaults in Entra ID → Properties → Manage security defaults — Security Defaults and Conditional Access are mutually exclusive.

Privileged Identity Management (CC6.2)

Azure AD Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access. Instead of permanently assigning Global Administrator or Subscription Owner roles, PIM makes these roles "eligible" — users can activate the role for a limited time (typically 1–4 hours) with MFA re-authentication and optional manager approval. Navigate to Entra ID → Identity Governance → Privileged Identity Management.

Configure PIM settings for critical roles: Global Administrator — require approval (designated approvers list), require MFA on activation, set maximum activation duration to 2 hours, require justification. Go to PIM → Azure AD roles → Settings → [role] and configure activation settings. For Azure subscription Owner and Contributor roles, configure the same settings under PIM → Azure resources.

Use the PIM audit log as evidence for CC6.2 (access provisioning) and CC6.3 (access review). PIM logs every role activation with timestamp, user, duration, and justification. Export PIM audit logs monthly via PIM → Azure AD roles → Audit log → Export. This provides auditors with a complete record of who had privileged access, when, and why — exactly the evidence they need for least-privilege access controls.

Identity Protection (CC7.2)

Microsoft Entra ID Protection (available in Entra ID P2) continuously analyzes sign-ins using ML models trained on Microsoft threat intelligence. It generates risk signals: user risk (credential compromise indicators) and sign-in risk (anomalous sign-in patterns). Navigate to Entra ID → Protection → Identity Protection.

Configure two Conditional Access policies based on risk: "MFA required for medium/high sign-in risk" — Conditions: Sign-in risk level → Medium and above. Access controls: Grant → Require MFA. "Block access for high user risk" — Conditions: User risk level → High. Access controls: Block or require password change. These policies provide automated response to detected threats, satisfying CC7.3 (response to identified threats).

Review Identity Protection reports weekly: Risky users, Risky sign-ins, and Risk detections. Investigate and dismiss false positives, and confirm true positives (compromised credentials) by checking for unauthorized access in the audit log. Document your investigation process — this process evidence plus the Identity Protection report exports constitute strong CC7.2 and CC7.3 audit evidence.

Access Reviews (CC6.3)

Entra ID Governance Access Reviews (requires P2 or Governance license) automate the quarterly access certification process required for CC6.3. Navigate to Entra ID → Identity Governance → Access reviews → New access review. Create reviews for: (1) Group membership reviews — select a security group, set reviewers to group owners or managers, set frequency to quarterly, set "Upon completion" to automatically remove access for non-responses and denied access. (2) Azure AD role reviews — review Global Administrator and other critical role assignments quarterly.

For each completed access review, export the results: Access reviews → [completed review] → Results → Export. This CSV file shows each user, the reviewer, and the decision (approved/denied). Compile quarterly exports as CC6.3 access review evidence. If you implement automated removal on denial, also export the Entra ID audit log showing the resulting group membership changes as corroborating evidence.

MFA Methods and SSPR

Navigate to Entra ID → Protection → Authentication methods → Policies. Enable Microsoft Authenticator with "Require number matching" and "Show additional context in notifications" to prevent MFA fatigue attacks (where an attacker sends repeated push notifications until the user accidentally approves). Disable SMS for privileged accounts — go to the SMS policy and exclude your Admins group.

For all accounts, set Authentication methods to require at least Microsoft Authenticator or FIDO2. Disable voice call and simple "approve/deny" notifications without number matching. Under Entra ID → Protection → Authentication methods → Settings → Number matching, set to "Enabled" for all users. Under "Additional context", enable for all users as well. These settings reduce the success rate of real-time phishing attacks dramatically.

Self-Service Password Reset (SSPR) should require two authentication methods (e.g., Authenticator app + email) to prevent account takeover via password reset. Navigate to Entra ID → Protection → Password reset → Properties → Enable SSPR for "All" users. Under Authentication methods, require "2 methods required to reset". Under Registration, require users to register when they sign in. Document SSPR configuration in your password management policy.

Audit Log Export and Evidence

Entra ID provides two key logs: Audit logs (administrative actions: user creation, group changes, role assignments, policy changes) and Sign-in logs (every authentication event with risk score, MFA result, Conditional Access policy result). Access them under Entra ID → Monitoring → Audit logs and Sign-in logs.

Export to Azure Monitor Log Analytics and then archive to Azure Storage for long-term retention. Navigate to Entra ID → Monitoring → Diagnostic settings → Add diagnostic setting. Select "Audit Logs", "SignInLogs", "RiskyUsers", and "RiskDetections". Route to Log Analytics workspace and to a Storage account. Set retention to 90 days in Log Analytics and 365 days in Storage. This automated export provides continuous evidence for your entire audit period.

For auditor-facing evidence, use the Microsoft Graph API (`GET /auditLogs/signIns`, `GET /auditLogs/directoryAudits`) to export specific date ranges to CSV. Include sign-in logs showing MFA success rates, Conditional Access policy evaluation results, and PIM activation records in your audit package. Auditors reviewing an Entra ID environment that has all of these configured will have a positive impression of your identity program maturity.