๐ Conditional Access
Microsoft Entra ID's core Zero Trust policy engine โ collect signals, make decisions, enforce access controls.
๐ฏ What is Conditional Access?
Conditional Access (CA) is the Policy Engine of Microsoft Entra ID. It lets you define: "Who, What, From Where, and Under What Conditions โ can access a resource."
Unlike a traditional firewall that blocks by IP, CA understands identity, device, application, and location โ enabling granular decisions: Allow, Require MFA, Require managed device, or Block.
๐๏ธ Architecture โ Request Flow
When multiple policies apply to the same user, the most restrictive requirement wins. If CA-001 requires MFA and CA-002 requires a compliant device, the user needs both MFA AND a compliant device.
๐งฉ Policy Components
Assignments (Who)
- ๐ฅ Users/Groups โ who the policy applies to
- ๐ข Workload Identities โ Service Principals
- โ๏ธ Cloud Apps โ which applications
- ๐ Conditions โ additional filters (see below)
Conditions
- โก User Risk โ P2 โ leaked credentials, compromised account
- ๐ Sign-in Risk โ P2 โ anomalous sign-in behavior
- ๐ฑ Device Platforms โ Windows, iOS, Android...
- ๐ Locations โ Named Locations / Any location
- ๐ฌ Client Apps โ Browser, Mobile Apps, Legacy
- ๐ป Device State โ Compliant, Hybrid joined
- ๐ Authentication Flows โ Device code flow
Grant Controls (What to require)
- ๐ซ Block access
- ๐ฒ Require MFA
- โ Require compliant device
- ๐ Require Hybrid Azure AD joined
- โ๏ธ Require approved client app
- ๐ก๏ธ Require app protection policy
- ๐ Require password change
- ๐ชช Require Authentication Strength
Session Controls
- โฑ๏ธ Sign-in Frequency โ re-auth every X hours/days
- ๐ซ Persistent Browser Session โ prevent "stay signed in"
- ๐ MCAS/Defender Integration โ App Control
- ๐ Token Protection โ P2
- โฌ๏ธ Disable download/print/copy โ via MCAS
๐ License Requirements
| Feature | License | Notes |
|---|---|---|
| Conditional Access itself | P1 | Included in M365 Business Premium, E3+ |
| User Risk / Sign-in Risk | P2 | Requires Entra ID Protection |
| Token Protection | P2 | Preview / GA |
| Authentication Strength (Custom) | P1 | Built-in strengths are free |
| Workload Identity CA | P2 + addon | Workload Identities Premium add-on |
| Named Locations | P1 | |
| App Protection Policy in CA | P1 + Intune | MAM without MDM |
| MCAS Session Controls | P1 + Defender for Cloud Apps | Included in M365 E5 |
๐ท๏ธ Naming Convention
Consistent naming is critical for manageability โ especially when you have dozens of policies.
CA-001-Require-MFA-AllUsers-AllApps CA-002-Block-Legacy-Auth-AllUsers CA-010-Require-Compliant-Device-AllUsers-Office365 CA-020-Require-MFA-Admins-AllApps CA-030-Block-HighRisk-Users-AllApps CA-040-Session-Limit-8h-External-SharePoint CA-999-BREAKGLASS (not a policy โ it's the exclusion group)
Reserve ranges: 001-009 for basic identity policies, 010-019 for device, 020-029 for admins, 030-039 for risk-based, 040-049 for session. This makes it easy to insert new policies later.
โ ๏ธ Break Glass Accounts
If you misconfigure a CA policy and lock yourself out โ Break Glass is your emergency key. Without it, the Azure portal will be inaccessible to you.
Setting Up Break Glass
- Create 2 dedicated accountsUse names like
breakglass1@domain.onmicrosoft.comโ use*.onmicrosoft.comso they're not dependent on federation. Strong password, 30+ characters, unique.Assign Global Admin roleWithout PIM activation requirements โ they must work when everything else is broken.Exclude from every CA PolicyCreate a groupCA-BreakGlass-Excludeโ add both accounts โ add this group to the Exclude section of every CA policy.No MFA, No Device ComplianceThe long, complex password IS the protection โ not MFA. If MFA infrastructure breaks, Break Glass should still work.Set an alert on every sign-inAny sign-in on a Break Glass account should trigger an alert. Configure a KQL alert in Sentinel/Log Analytics.Store physicallyThe password lives in a physical safe, NOT in a password manager that can be locked out alongside everything else.KQL โ Alert on Break Glass Sign-inSigninLogs | where UserPrincipalName in ("breakglass1@yourdomain.onmicrosoft.com", "breakglass2@yourdomain.onmicrosoft.com") | project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType, AppDisplayName | order by TimeGenerated desc
๐ Report-Only Mode
Report-Only is a mode where the policy reports what it would have done โ without enforcing it. Essential before enabling any new policy.
Report-Only SuccessThe policy would have succeeded โ the user met the requirementsReport-Only FailureThe policy would have blocked โ without actually blockingRecommended Workflow
- Enable in Report-OnlyEvery new policy starts as Report-OnlyMonitor for 7โ14 daysCheck Sign-in Logs โ Conditional Access tab โ see how many sign-ins would have been blockedTune exceptionsAdd Exclude for service accounts, pipeline agents, specialized devicesSwitch to EnabledOnce you're confident there are no false positives
๐งช What If Tool
The What If tool in Entra ID lets you simulate: "If user X signs in from Y to application Z โ which CA policies would apply?"
Where to Find It
Entra Admin Center โ Protection โ Conditional Access โ What IfInput ParametersUser, Cloud App, IP/Location, Device Platform, Client App, Sign-in Risk levelOutputList of applicable policies, what they require, and what the net outcome would beAlways Test Before EnforcingBefore any change โ run What If against Break Glass accounts, service accounts, and regular users. Confirms there are no unexpected lockouts.
๐ Named Locations
Named Locations let you define IP ranges or countries that carry specific meaning (Office, Trusted network, Block-listed regions).
IP Ranges
- ๐ข Corporate Office โ known IPs, mark as Trusted
- ๐ VPN Range โ when using split-tunnel VPN
- ๐ซ Block List โ known malicious ISPs/ASNs
Country Locations
- ๐ Allowed Countries โ US, UK, EU, Israel
- โ Blocked Regions โ countries you don't expect logins from
- โ ๏ธ Unknown Countries โ Tor, anonymizers
GeoIP is Not PerfectVPNs, Tor, and some CDNs can bypass Country Blocking. Use it as an additional security layer, not the only one.
๐ง Identity Policies
CA-001 Require MFA โ All Users, All AppsRequiredP1โพThe foundation of every CA architecture. MFA for all interactive sign-ins, for all users, for all applications.Setting Value Users All users โ Exclude: BreakGlass Group, Service Accounts Group Cloud Apps All cloud apps Conditions โ Grant Require multifactor authentication Session โ Mode Report-Only โ Enabled after 14 days Set Up MFA Registration Policy First!Before enforcing, ensure all users are registered for MFA โ via Entra ID Protection โ MFA Registration Policy.
CA-002 Block Legacy AuthenticationRequiredP1โพLegacy Auth (SMTP AUTH, POP3, IMAP, Basic Auth) doesn't support MFA โ it's a primary attack vector. Block it completely.Setting Value Users All users โ Exclude: BreakGlass, Legacy Service Accounts Cloud Apps All cloud apps Conditions โ Client Apps Exchange ActiveSync clients + Other clients Grant Block access Check Sign-in Logs FirstFilter ClientAppUsed = "Other clients" and "Exchange ActiveSync" โ see who's still using Legacy Auth before blocking.
CA-003 Block Unknown/Unsupported Device PlatformsMediumP1โพBlock access from devices whose platform cannot be identified (Linux, unmanaged ChromeOS, etc.).Setting Value Users All users Cloud Apps All cloud apps Conditions โ Device Platforms Select platforms to ALLOW: macOS, iOS, Android, Windows โ everything else (Linux, "Other") is blocked Grant Block access ๐ป Device Policies
CA-010 Require Compliant Device โ Office 365HighP1โพRequire an Intune-Compliant device for access to Office 365. Ensures only managed, security-compliant devices can reach email, Teams, and SharePoint.Setting Value Users All users โ Exclude: BreakGlass Cloud Apps Office 365 Grant Require device to be marked as compliant OR Require Hybrid Azure AD joined Intune Enrollment RequiredBefore enforcing, ensure all devices are enrolled in Intune and have an active Compliance Policy assigned.
CA-011 Require App Protection Policy โ MobileHighP1โพAllow mobile access only through Intune-managed apps with App Protection Policy (MAM). Enables secure BYOD scenarios.Setting Value Users All users Cloud Apps Office 365 Conditions โ Device Platforms iOS, Android Grant Require approved client app AND Require app protection policy ๐ฑ Application Policies
CA-015 Session Control โ SharePoint External UsersMediumP1โพRestrict download/print/copy capabilities for external/guest users in SharePoint โ via MCAS App Control.Setting Value Users All guest and external users Cloud Apps SharePoint Online Session Use Conditional Access App Control โ Monitor only / Block downloads CA-016 Session Frequency โ Sensitive AppsMediumP1โพLimit session length for sensitive applications โ force re-authentication every X hours.Setting Value Cloud Apps Azure Portal, Exchange Admin, SharePoint Admin, Security portals Session โ Sign-in Frequency 1 hour (for admins), 8 hours (for all users) Session โ Persistent Browser Never persistent โก Risk-Based Policies (P2)
Requires Entra ID Protection (P2)Risk-based policies require Microsoft Entra ID Protection โ included in M365 E5, EMS E5, Entra ID P2.
CA-030 Block High Sign-in RiskRequiredP2โพBlock sign-ins with high risk โ such as Impossible travel, Anonymous IP, Malware-linked IP.Setting Value Users All users โ Exclude: BreakGlass Cloud Apps All cloud apps Conditions โ Sign-in Risk High Grant Block access CA-031 Require MFA โ Medium Sign-in RiskHighP2โพRequire strong, phishing-resistant MFA (FIDO2 / Authenticator) for medium-risk sign-ins.Setting Value Conditions โ Sign-in Risk Medium Grant Require MFA (Authentication Strength: Phishing-resistant MFA) CA-032 Block High User Risk + Force Password ChangeRequiredP2โพAccount with high user risk (leaked credentials) โ require password change via SSPR.Setting Value Conditions โ User Risk High Grant Require password change + Require MFA SSPR Must Be EnabledSelf-Service Password Reset must be enabled so users can reset their password and unblock themselves without calling the helpdesk.
๐ก๏ธ Admin Policies
CA-020 Require Phishing-Resistant MFA โ All AdminsRequiredP1โพAdmins are the primary target of attacks. Require strong, phishing-resistant MFA (FIDO2, Windows Hello, Certificate-based).Setting Value Users Directory roles: Global Admin, Privileged Role Admin, Security Admin, Exchange Admin, SharePoint Admin, Compliance Admin, Billing Admin, Authentication Admin + all other privileged roles Cloud Apps All cloud apps Grant Require Authentication Strength: Phishing-resistant MFA CA-021 Require Compliant Device โ Admin PortalsHighP1โพAdmins should only operate from managed, compliant devices. Privileged Access Workstations (PAW) is the ideal.Setting Value Users Directory roles (all privileged roles) Cloud Apps Microsoft Admin Portals (Azure Portal, M365 Admin, Entra) Grant Require Compliant Device OR Require Hybrid AD Joined CA-022 Block Admin Access from Non-Corporate LocationsMediumP1โพAdmins manage only from the corporate network (Trusted Location) โ external access requires VPN first.Setting Value Users Directory roles Cloud Apps Microsoft Admin Portals Conditions โ Locations All locations โ Exclude: Trusted Locations (Corporate IPs) Grant Block access (outside Trusted Location) ๐ Data Protection & Additional Policies
CA-040 Block Access from Blocked CountriesHighP1โพBlock access from countries where you don't expect legitimate sign-ins.Setting Value Users All users Cloud Apps All cloud apps Conditions โ Locations Named Location: Blocked Countries Grant Block access CA-041 Require MFA โ Azure ManagementRequiredP1โพAll access to Azure Portal, Azure CLI, PowerShell โ requires MFA, even if CA-001 already covers it. Defense in depth.Setting Value Cloud Apps Microsoft Azure Management Grant Require MFA CA-042 Block Device Code FlowHighP1โพDevice Code Flow can be exploited for token theft (Device Code Phishing). Block if there's no legitimate use case.Setting Value Conditions โ Authentication Flows Device code flow Grant Block access ๐ KQL Queries โ Monitoring & Analysis
Sign-ins Blocked by CA Policies
Sign-in Blocks by CA PolicySigninLogs | where TimeGenerated > ago(7d) | where ResultType == "53003" // CA block | mv-expand ConditionalAccessPolicies | extend PolicyName = tostring(ConditionalAccessPolicies.displayName), PolicyResult = tostring(ConditionalAccessPolicies.result) | where PolicyResult == "failure" | summarize BlockCount = count() by PolicyName, UserPrincipalName | sort by BlockCount desc
Report-Only Analysis โ What Would Have Been Blocked
Report-Only Would-Have-BlockedSigninLogs | where TimeGenerated > ago(14d) | mv-expand ConditionalAccessPolicies | extend PolicyName = tostring(ConditionalAccessPolicies.displayName), PolicyResult = tostring(ConditionalAccessPolicies.result) | where PolicyResult == "reportOnlyFailure" | summarize WouldBlock = count() by PolicyName, UserPrincipalName, AppDisplayName | sort by WouldBlock desc
Legacy Authentication Usage
Legacy Auth โ Who's Still Using It?SigninLogs | where TimeGenerated > ago(30d) | where ClientAppUsed in ("Exchange ActiveSync", "IMAP4", "MAPI", "POP3", "SMTP", "Other clients") | where ResultType == "0" // successful sign-ins only | summarize Count = count(), LastSeen = max(TimeGenerated) by UserPrincipalName, ClientAppUsed, AppDisplayName | sort by Count desc
MFA Failures โ Brute Force Detection
MFA Failures per UserSigninLogs | where TimeGenerated > ago(7d) | where ResultType in ("50074", "50076", "500121") // MFA required/failed | summarize Failures = count(), Locations = make_set(Location) by UserPrincipalName, IPAddress | where Failures > 5 | sort by Failures desc
Risky Sign-ins
Sign-in Risk โ High/MediumSigninLogs | where TimeGenerated > ago(7d) | where RiskLevelDuringSignIn in ("high", "medium") | project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, RiskDetail, IPAddress, Location, AppDisplayName, ResultType | sort by TimeGenerated desc
Policy Coverage Gaps โ Sign-ins with No CA Policy Applied
No CA Policy AppliedSigninLogs | where TimeGenerated > ago(7d) | where ResultType == "0" | where array_length(ConditionalAccessPolicies) == 0 | where UserType == "Member" | summarize Count = count() by UserPrincipalName, AppDisplayName | sort by Count desc
โ Conditional Access Checklist
Progress: 0 / 0๐๏ธ Preparation
- Created 2 Break Glass Accounts using *.onmicrosoft.com domainRequired
- Created CA-BreakGlass-Exclude group and excluded it from every policyRequired
- Configured Log Analytics alert for every Break Glass sign-inHigh
- All new policies start in Report-Only mode for at least 7 daysRequired
- Checked Sign-in Logs before blocking Legacy AuthenticationHigh
- Configured Named Location for Corporate Office IPs
- Configured Named Location for Blocked Countries
- MFA Registration Policy enabled โ all users registeredRequired
- CA-001 โ Require MFA All Users is EnabledRequired
- CA-002 โ Block Legacy Auth is EnabledRequired
- CA-003 โ Block Unknown Platforms is Enabled
- CA-010 โ Require Compliant Device for Office 365High
- CA-011 โ App Protection Policy for Mobile
- Intune Enrollment Profile configured for all platformsHigh
- CA-020 โ Phishing-Resistant MFA for all AdminsRequired
- CA-021 โ Compliant Device for Admin PortalsHigh
- CA-022 โ Restrict Admin Access from External Locations
- All admins have FIDO2 / Windows Hello For BusinessHigh
- CA-030 โ Block High Sign-in Risk is EnabledP2
- CA-031 โ MFA for Medium Sign-in Risk is EnabledP2
- CA-032 โ Password Change on High User Risk is EnabledP2
- SSPR enabled for all usersP2
- CA-040 โ Block Blocked Countries is Enabled
- CA-041 โ Require MFA for Azure ManagementRequired
- CA-042 โ Block Device Code FlowHigh
- All policy names follow the Naming Convention
- KQL Queries configured in Log Analytics / Sentinel
- What If tool tested before every new policy enforcement
๐ Baseline Policies
๐ป Device Policies
๐ก๏ธ Admin Policies
โก Risk-Based (P2)
๐ Additional
Accessibility Options
Use these quick controls to improve readability while browsing Modern Endpoint.