From 653bc315980700b9713cce1e61b713a5df6f7c14 Mon Sep 17 00:00:00 2001
From: Christian Centeno <46193840+ChristianCB83@users.noreply.github.com>
Date: Thu, 11 Sep 2025 10:05:21 +0100
Subject: [PATCH 1/3] Update concept-conditional-access-cloud-apps.md

We must include the capability of using Authentication context for PIM as the current version doesn't specify this anywhere. I had the chance to work on a case where customer was lost about this topic, since the doc was not covering it.
---
 .../concept-conditional-access-cloud-apps.md               | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
index cd3b46df445..27562c90fc9 100644
--- a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
+++ b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
@@ -200,9 +200,9 @@ User actions are tasks that a user performs. Conditional Access supports two use
 
 ## Authentication context
 
-Authentication context secures data and actions in applications. These applications include custom applications, line-of-business (LOB) applications, SharePoint, or applications protected by Microsoft Defender for Cloud Apps.
+Authentication context secures data and actions in applications. These applications include custom applications, line-of-business (LOB) applications, SharePoint, or applications protected by Microsoft Defender for Cloud Apps. It can also be used with Microsoft Entra Privileged Identity Management (PIM) to enforce Conditional Access policies during role activation.
 
-For example, an organization might store files in SharePoint sites like a lunch menu or a secret BBQ sauce recipe. Everyone might access the lunch menu site, but users accessing the secret BBQ sauce recipe site might need to use a managed device and agree to specific terms of use.
+For example, an organization might store files in SharePoint sites like a lunch menu or a secret BBQ sauce recipe. Everyone might access the lunch menu site, but users accessing the secret BBQ sauce recipe site might need to use a managed device and agree to specific terms of use. Similarly, an administrator activating a privileged role through PIM might be required to perform multifactor authentication or use a compliant device.
 
 Authentication context works with users or [workload identities](workload-identity.md), but not in the same Conditional Access policy.
 
@@ -233,11 +233,12 @@ To delete an authentication context, ensure it has no assigned Conditional Acces
 
 ### Tag resources with authentication contexts
 
-To learn more about using authentication contexts in applications, see the following articles.
+To learn more about using authentication contexts, see the following articles.
 
 - [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
 - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)
 - [Custom applications](~/identity-platform/developer-guide-conditional-access-authentication-context.md)
+- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context.md)
 
 ## Next steps
 

From 6555ac0c9812791f71e3ea8e6ae683837770ede6 Mon Sep 17 00:00:00 2001
From: Christian Centeno <46193840+ChristianCB83@users.noreply.github.com>
Date: Thu, 11 Sep 2025 10:48:31 +0100
Subject: [PATCH 2/3] Update concept-conditional-access-cloud-apps.md

Attempt to fix issue reported on the link, by removing the extension ".md"
---
 .../conditional-access/concept-conditional-access-cloud-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
index 27562c90fc9..1459a650337 100644
--- a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
+++ b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
@@ -238,7 +238,7 @@ To learn more about using authentication contexts, see the following articles.
 - [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
 - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)
 - [Custom applications](~/identity-platform/developer-guide-conditional-access-authentication-context.md)
-- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context.md)
+- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context)
 
 ## Next steps
 

From 8b094197b9e18916b5752af8d725a7d2a1bad664 Mon Sep 17 00:00:00 2001
From: Christian Centeno <46193840+ChristianCB83@users.noreply.github.com>
Date: Thu, 11 Sep 2025 15:29:13 +0100
Subject: [PATCH 3/3] Update
 docs/identity/conditional-access/concept-conditional-access-cloud-apps.md

Co-authored-by: John Flores <joflore@microsoft.com>
---
 .../conditional-access/concept-conditional-access-cloud-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
index 1459a650337..2de4fb1efe3 100644
--- a/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
+++ b/docs/identity/conditional-access/concept-conditional-access-cloud-apps.md
@@ -238,7 +238,7 @@ To learn more about using authentication contexts, see the following articles.
 - [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
 - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)
 - [Custom applications](~/identity-platform/developer-guide-conditional-access-authentication-context.md)
-- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context)
+- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context)
 
 ## Next steps