This project outlines the advanced features and credentials capabilities of Microsoft Entra Azure Active Directory (Azure AD), which may assist the financial services industry (FSIs) in meeting legal and regulatory requirements. These features restrict access to line-of-business (LOB) applications' customer data to specific authorized locations. Users' GPS coordinates are provided by Microsoft Authenticator to Azure AD for Conditional Access authentication context policy analysis.
An administrator (A) sets up a Conditional Access policy that associates each authentication context with a specific GPS Named Location, such as C1 for Switzerland, C2 for Spain, and C3 for the United Kingdom. This mapping will only be done once.
Application developers (B) enable step-up authentication and seek the necessary claims for actions taken inside their applications, making their apps aware of the application context. Action 1, for instance, needs the authentication context claim acrs=C1.
Users of App 1 have already authenticated themselves. Within App 1, a user tries to do Action 1.
Action 1 cannot be completed without authentication context claim C1. A claims challenge is initiated if the current token lacks claim C1.
Azure AD receives the user's location from the Authenticator app and then executes Conditional Access policy C1 that maps claim C1 to GPS location CH (Switzerland).
If it is their first time providing location data, the user agrees and submits location information.
Azure AD issues a new access token with claim C1 if the location data matches CH (Switzerland).
Action 1 is successfully completed after the call is returned to App 1 with the new access token and claim C1.