guides-conditional-access

📋 Overview & Zero Trust

Conditional Access is the Zero Trust policy engine of Microsoft Entra ID. It evaluates signals (user, device, location, app, risk) and enforces access controls (allow, MFA, block) in real time for every access request.

🔍

Verify Explicitly

Always authenticate and authorize using all available signals

🔒

Least Privilege Access

Limit access with JIT, JEA, risk-based policies, and data protection

💥

Assume Breach

Minimize blast radius, segment access, verify end-to-end encryption

📋 License Requirements

Feature	License
Conditional Access (basic policies)	Entra ID P1
Named Locations	Entra ID P1
User/Sign-in Risk Policies	Entra ID P2
Continuous Access Evaluation (CAE)	Entra ID P1
Workload Identity CA	Workload Identities P1

🏗️ Policy Anatomy

📥 Assignments (When to apply)

Users / Groups: All users, specific groups, roles, guest users
Cloud apps: All apps, Microsoft 365, specific apps
Conditions: Platform, Location, Client app, Sign-in risk, Device state

📤 Grant Controls (What to require)

Require MFA
Require device to be marked as compliant
Require Hybrid Entra ID joined device
Require approved client app
Require app protection policy (MAM)
Block access

Test in Report-Only mode first! Always create CA policies in Report-Only mode and analyze sign-in logs before enabling enforcement. One misconfigured policy can lock out all users.

📡 Signals & Conditions

👤 Identity Signals

User risk (Entra ID Protection)
Sign-in risk level
Directory role membership
Guest / external user type

💻 Device Signals

Device compliance state (Intune)
Hybrid Entra ID join status
Platform: Windows, iOS, Android, macOS
Device filter (custom attributes)

🌐 Network Signals

Named locations (IP ranges)
Compliant network location
Country / region filter
Trusted vs. untrusted locations

🔢 Require MFA Policies

Policy 1: MFA for All Users – All Cloud Apps

Users: All users (exclude Break-Glass) | Apps: All cloud apps | Conditions: None

Grant: Require multi-factor authentication

Policy 2: MFA for External (Guest) Users

Users: Guest / external users | Apps: All cloud apps | Conditions: None

Grant: Require MFA + Require compliant device (OR)

Policy 3: MFA for Azure Management

Users: All users | Apps: Microsoft Azure Management | Conditions: None

Grant: Require MFA

✅ Require Compliant Device

Policy 4: Compliant Device for Microsoft 365

Users: All users (exclude Break-Glass, service accounts) | Apps: Office 365 suite | Platforms: Windows, iOS, Android, macOS

Grant: Require device marked as compliant (OR Hybrid Entra joined)

Exclude Linux, Windows Phone, and other unsupported platforms from compliant device policies. Deploy MAM (App Protection Policies) as alternative for BYOD platforms that can't be enrolled.

Policy 5: MAM for BYOD Mobile (Fallback)

Users: All users | Apps: Office 365 | Platforms: iOS, Android | Client apps: Browser excluded

Grant: Require approved client app AND require app protection policy

🚫 Block Legacy Authentication

Legacy authentication (Basic Auth, IMAP, POP3, SMTP Auth, ActiveSync) does NOT support MFA. Attackers use it to bypass MFA. Block it as soon as possible — it's one of the highest-impact security improvements you can make.

Policy 6: Block Legacy Authentication Protocols

Users: All users | Apps: All cloud apps | Client apps: Exchange ActiveSync, Other clients (IMAP/POP/SMTP)

Grant: Block access

📋 Legacy Auth Protocols to Block

Protocol	App	MFA Support
Basic Auth / IMAP	Old mail clients	❌ None
POP3	Old mail clients	❌ None
SMTP Auth	Legacy send-as apps	❌ None
Exchange ActiveSync (Basic)	Old mobile devices	❌ None
MAPI over HTTP (modern)	Outlook 2016+	✅ Supported

👑 Admin MFA & Privileged Access

Policy 7: Require MFA for All Admin Roles

Users: Directory roles: Global Admin, Security Admin, Exchange Admin, SharePoint Admin, User Admin, etc. | Apps: All cloud apps

Grant: Require MFA + Require compliant device (AND)

Policy 8: Require Phishing-Resistant MFA for Global Admin

Users: Global Administrator role | Apps: All cloud apps

Grant: Require authentication strength = Phishing-resistant MFA (FIDO2 key or Windows Hello)

⚠️ Risky Users & Sign-ins

These policies require Entra ID P2 and Entra ID Protection (Identity Protection) to be enabled. Risk signals are generated by Microsoft's machine learning models based on leak databases, unusual travel, impossible travel, etc.

Policy 9: High Sign-in Risk → Require MFA

Users: All users | Apps: All cloud apps | Sign-in Risk: High

Grant: Require MFA (and block if risk remains high after MFA)

Policy 10: High User Risk → Force Password Change

Users: All users | Apps: All cloud apps | User Risk: High

Grant: Require MFA + Require password change

🌍 Location-Based Policies

Policy 11: Block Access from Non-Approved Countries

Users: All users (exclude Break-Glass) | Apps: All cloud apps | Locations: All locations EXCEPT [Named: Approved Countries]

Grant: Block access

Policy 12: MFA from Outside Trusted Networks

Users: All users | Apps: All cloud apps | Locations: All locations EXCEPT [Named: Trusted Office IPs]

Grant: Require MFA

⚡ Continuous Access Evaluation (CAE)

CAE allows Entra ID to revoke access tokens within seconds when a critical event occurs (password change, account disable, location change) — instead of waiting for token expiry (60–90 minutes). This dramatically reduces the window of unauthorized access.

⚡ CAE Trigger Events

User password changed or reset
Account disabled or deleted
MFA authentication requirements changed
IP address changed significantly during session
Refresh token revoked by admin
High risk user/sign-in detected

🔧 CAE Configuration

Enabled by default for supported apps (Exchange Online, Teams, SharePoint)
No additional configuration required
Customize: Entra ID → Security → Continuous access evaluation
Configure Strict location enforcement (disable strict for mobility users)

🚨 Break-Glass Accounts

Break-Glass (emergency access) accounts must be excluded from ALL Conditional Access policies — they are the safety net if your CA configuration locks out all admins. Losing access to these means losing control of your tenant.

🔐 Break-Glass Account Requirements

2 accounts minimum per tenant
Cloud-only accounts (not synced from on-prem AD)
NOT federated — use Entra ID local credentials only
Long, complex random passwords (stored in vault)
Global Administrator role assigned permanently
No phone number or personal email for MFA
FIDO2 hardware key for authentication

📋 Break-Glass Operations

Store credentials in physical secure location (safe)
Test access monthly — verify they can log in
Monitor: Alert on any sign-in from break-glass accounts
Exclude from ALL CA policies by group membership
Review activity log: should have zero normal sign-ins

Set up Azure Monitor alert: fire immediately on any break-glass account login.

📊 Reports & Monitoring

📈 Sign-in Logs

Entra ID → Sign-in logs
Filter by CA policy status
Success / Failure / Interrupted
Report-Only mode impact preview

📋 CA Policy Report

Entra ID → Security → Conditional Access → Insights
Per-policy success/failure rate
Affected users count
Policy impact over time

🔍 What If Tool

Simulate CA outcome for a specific user+app+condition
Entra ID → CA → What If
Test before enabling enforcement
Essential for troubleshooting access issues

💻 PowerShell & Graph API

# Get all Conditional Access policies
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy |
  Select-Object DisplayName, State, CreatedDateTime |
  Sort-Object DisplayName

# Get policy details including conditions and grant controls
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "policy-guid" |
  Select-Object DisplayName, @{N="Users";E={$_.Conditions.Users}},
    @{N="Apps";E={$_.Conditions.Applications}},
    @{N="Grant";E={$_.GrantControls}}

# Create a CA policy via Graph (Report-Only mode)
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
{
  "displayName": "CA001 - Require MFA for All Users",
  "state": "enabledForReportingButNotEnforced",
  "conditions": {
    "users": { "includeUsers": ["All"], "excludeGroups": ["break-glass-group-id"] },
    "applications": { "includeApplications": ["All"] }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["mfa"]
  }
}

# Export sign-in logs with CA policy results
Get-MgAuditLogSignIn -Filter "createdDateTime ge 2026-05-20" -Top 1000 |
  Select-Object UserPrincipalName, AppDisplayName, Status,
    @{N="CAPolicies";E={$_.AppliedConditionalAccessPolicies.DisplayName}} |
  Export-Csv "C:\Reports\SignIns-CA.csv" -NoTypeInformation

Conditional Access & Zero Trust