๐Ÿ” Conditional Access

Microsoft Entra ID's core Zero Trust policy engine โ€” collect signals, make decisions, enforce access controls.

Azure AD P1 Azure AD P2 Free โ€” SSPR Basic Zero Trust Core

๐ŸŽฏ What is Conditional Access?

Conditional Access (CA) is the Policy Engine of Microsoft Entra ID. It lets you define: "Who, What, From Where, and Under What Conditions โ€” can access a resource."

Unlike a traditional firewall that blocks by IP, CA understands identity, device, application, and location โ€” enabling granular decisions: Allow, Require MFA, Require managed device, or Block.

๐Ÿ“ก
Signals
User, location, device, application, identity risk, sign-in risk
๐Ÿค–
Decision
Allow / Require MFA / Require compliant device / Block
๐Ÿ›ก๏ธ
Enforcement
Microsoft Entra ID issues or denies the access token

๐Ÿ—๏ธ Architecture โ€” Request Flow

๐Ÿ‘ค
User Signs In
Any client
โ†’
๐Ÿ“ก
Signal Collection
Identity, IP, device, app
โ†’
๐Ÿ”
Policy Evaluation
All applicable policies
โ†’
๐Ÿค–
Decision
Grant / Block / Session
โ†’
๐ŸŽŸ๏ธ
Token Issued
With appropriate claims
โ„น๏ธ
Policy Accumulation Principle

When multiple policies apply to the same user, the most restrictive requirement wins. If CA-001 requires MFA and CA-002 requires a compliant device, the user needs both MFA AND a compliant device.

๐Ÿงฉ Policy Components

Assignments (Who)

  • ๐Ÿ‘ฅ Users/Groups โ€” who the policy applies to
  • ๐Ÿข Workload Identities โ€” Service Principals
  • โ˜๏ธ Cloud Apps โ€” which applications
  • ๐Ÿ“ Conditions โ€” additional filters (see below)

Conditions

  • โšก User Risk โ€” P2 โ€” leaked credentials, compromised account
  • ๐Ÿ”’ Sign-in Risk โ€” P2 โ€” anomalous sign-in behavior
  • ๐Ÿ“ฑ Device Platforms โ€” Windows, iOS, Android...
  • ๐Ÿ“ Locations โ€” Named Locations / Any location
  • ๐Ÿ’ฌ Client Apps โ€” Browser, Mobile Apps, Legacy
  • ๐Ÿ’ป Device State โ€” Compliant, Hybrid joined
  • ๐Ÿ”— Authentication Flows โ€” Device code flow

Grant Controls (What to require)

  • ๐Ÿšซ Block access
  • ๐Ÿ“ฒ Require MFA
  • โœ… Require compliant device
  • ๐Ÿ”— Require Hybrid Azure AD joined
  • โœ”๏ธ Require approved client app
  • ๐Ÿ›ก๏ธ Require app protection policy
  • ๐Ÿ”‘ Require password change
  • ๐Ÿชช Require Authentication Strength

Session Controls

  • โฑ๏ธ Sign-in Frequency โ€” re-auth every X hours/days
  • ๐Ÿšซ Persistent Browser Session โ€” prevent "stay signed in"
  • ๐ŸŒ MCAS/Defender Integration โ€” App Control
  • ๐Ÿ“‹ Token Protection โ€” P2
  • โฌ‡๏ธ Disable download/print/copy โ€” via MCAS

๐Ÿ“œ License Requirements

FeatureLicenseNotes
Conditional Access itselfP1Included in M365 Business Premium, E3+
User Risk / Sign-in RiskP2Requires Entra ID Protection
Token ProtectionP2Preview / GA
Authentication Strength (Custom)P1Built-in strengths are free
Workload Identity CAP2 + addonWorkload Identities Premium add-on
Named LocationsP1
App Protection Policy in CAP1 + IntuneMAM without MDM
MCAS Session ControlsP1 + Defender for Cloud AppsIncluded in M365 E5

๐Ÿท๏ธ Naming Convention

Consistent naming is critical for manageability โ€” especially when you have dozens of policies.

Prefix
CA
-
Number
001
-
Action
Require-MFA
-
Target
AllUsers
-
Condition
AllApps
Naming Examples
CA-001-Require-MFA-AllUsers-AllApps
CA-002-Block-Legacy-Auth-AllUsers
CA-010-Require-Compliant-Device-AllUsers-Office365
CA-020-Require-MFA-Admins-AllApps
CA-030-Block-HighRisk-Users-AllApps
CA-040-Session-Limit-8h-External-SharePoint
CA-999-BREAKGLASS (not a policy โ€” it's the exclusion group)
๐Ÿ’ก
Tip: Use Number Ranges

Reserve ranges: 001-009 for basic identity policies, 010-019 for device, 020-029 for admins, 030-039 for risk-based, 040-049 for session. This makes it easy to insert new policies later.

โš ๏ธ Break Glass Accounts

๐Ÿšจ
Rule #1: Always Exclude Break Glass from Every Policy!

If you misconfigure a CA policy and lock yourself out โ€” Break Glass is your emergency key. Without it, the Azure portal will be inaccessible to you.

Setting Up Break Glass

  1. Create 2 dedicated accounts
    Use names like breakglass1@domain.onmicrosoft.com โ€” use *.onmicrosoft.com so they're not dependent on federation. Strong password, 30+ characters, unique.
  2. Assign Global Admin role
    Without PIM activation requirements โ€” they must work when everything else is broken.
  3. Exclude from every CA Policy
    Create a group CA-BreakGlass-Exclude โ†’ add both accounts โ†’ add this group to the Exclude section of every CA policy.
  4. No MFA, No Device Compliance
    The long, complex password IS the protection โ€” not MFA. If MFA infrastructure breaks, Break Glass should still work.
  5. Set an alert on every sign-in
    Any sign-in on a Break Glass account should trigger an alert. Configure a KQL alert in Sentinel/Log Analytics.
  6. Store physically
    The password lives in a physical safe, NOT in a password manager that can be locked out alongside everything else.
KQL โ€” Alert on Break Glass Sign-in
SigninLogs
| where UserPrincipalName in ("breakglass1@yourdomain.onmicrosoft.com", "breakglass2@yourdomain.onmicrosoft.com")
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType, AppDisplayName
| order by TimeGenerated desc

๐Ÿ“Š Report-Only Mode

Report-Only is a mode where the policy reports what it would have done โ€” without enforcing it. Essential before enabling any new policy.

โœ…
Report-Only Success
The policy would have succeeded โ€” the user met the requirements
โŒ
Report-Only Failure
The policy would have blocked โ€” without actually blocking

Recommended Workflow

  1. Enable in Report-Only
    Every new policy starts as Report-Only
  2. Monitor for 7โ€“14 days
    Check Sign-in Logs โ†’ Conditional Access tab โ†’ see how many sign-ins would have been blocked
  3. Tune exceptions
    Add Exclude for service accounts, pipeline agents, specialized devices
  4. Switch to Enabled
    Once you're confident there are no false positives

๐Ÿงช What If Tool

The What If tool in Entra ID lets you simulate: "If user X signs in from Y to application Z โ€” which CA policies would apply?"

Where to Find It

Entra Admin Center โ†’ Protection โ†’ Conditional Access โ†’ What If

๐ŸŽฏ
Input Parameters
User, Cloud App, IP/Location, Device Platform, Client App, Sign-in Risk level
๐Ÿ“‹
Output
List of applicable policies, what they require, and what the net outcome would be
๐Ÿ’ก
Always Test Before Enforcing

Before any change โ€” run What If against Break Glass accounts, service accounts, and regular users. Confirms there are no unexpected lockouts.

๐Ÿ“ Named Locations

Named Locations let you define IP ranges or countries that carry specific meaning (Office, Trusted network, Block-listed regions).

IP Ranges

  • ๐Ÿข Corporate Office โ€” known IPs, mark as Trusted
  • ๐Ÿ  VPN Range โ€” when using split-tunnel VPN
  • ๐Ÿšซ Block List โ€” known malicious ISPs/ASNs

Country Locations

  • ๐ŸŒ Allowed Countries โ€” US, UK, EU, Israel
  • โ›” Blocked Regions โ€” countries you don't expect logins from
  • โš ๏ธ Unknown Countries โ€” Tor, anonymizers
โš ๏ธ
GeoIP is Not Perfect

VPNs, Tor, and some CDNs can bypass Country Blocking. Use it as an additional security layer, not the only one.

๐Ÿง‘ Identity Policies

CA-001 Require MFA โ€” All Users, All Apps
RequiredP1
โ–พ
The foundation of every CA architecture. MFA for all interactive sign-ins, for all users, for all applications.
SettingValue
UsersAll users โ€” Exclude: BreakGlass Group, Service Accounts Group
Cloud AppsAll cloud apps
Conditionsโ€”
GrantRequire multifactor authentication
Sessionโ€”
ModeReport-Only โ†’ Enabled after 14 days
โš ๏ธ
Set Up MFA Registration Policy First!

Before enforcing, ensure all users are registered for MFA โ€” via Entra ID Protection โ†’ MFA Registration Policy.

CA-002 Block Legacy Authentication
RequiredP1
โ–พ
Legacy Auth (SMTP AUTH, POP3, IMAP, Basic Auth) doesn't support MFA โ€” it's a primary attack vector. Block it completely.
SettingValue
UsersAll users โ€” Exclude: BreakGlass, Legacy Service Accounts
Cloud AppsAll cloud apps
Conditions โ†’ Client AppsExchange ActiveSync clients + Other clients
GrantBlock access
โ„น๏ธ
Check Sign-in Logs First

Filter ClientAppUsed = "Other clients" and "Exchange ActiveSync" โ€” see who's still using Legacy Auth before blocking.

CA-003 Block Unknown/Unsupported Device Platforms
MediumP1
โ–พ
Block access from devices whose platform cannot be identified (Linux, unmanaged ChromeOS, etc.).
SettingValue
UsersAll users
Cloud AppsAll cloud apps
Conditions โ†’ Device PlatformsSelect platforms to ALLOW: macOS, iOS, Android, Windows โ€” everything else (Linux, "Other") is blocked
GrantBlock access

๐Ÿ’ป Device Policies

CA-010 Require Compliant Device โ€” Office 365
HighP1
โ–พ
Require an Intune-Compliant device for access to Office 365. Ensures only managed, security-compliant devices can reach email, Teams, and SharePoint.
SettingValue
UsersAll users โ€” Exclude: BreakGlass
Cloud AppsOffice 365
GrantRequire device to be marked as compliant OR Require Hybrid Azure AD joined
โš ๏ธ
Intune Enrollment Required

Before enforcing, ensure all devices are enrolled in Intune and have an active Compliance Policy assigned.

CA-011 Require App Protection Policy โ€” Mobile
HighP1
โ–พ
Allow mobile access only through Intune-managed apps with App Protection Policy (MAM). Enables secure BYOD scenarios.
SettingValue
UsersAll users
Cloud AppsOffice 365
Conditions โ†’ Device PlatformsiOS, Android
GrantRequire approved client app AND Require app protection policy

๐Ÿ“ฑ Application Policies

CA-015 Session Control โ€” SharePoint External Users
MediumP1
โ–พ
Restrict download/print/copy capabilities for external/guest users in SharePoint โ€” via MCAS App Control.
SettingValue
UsersAll guest and external users
Cloud AppsSharePoint Online
SessionUse Conditional Access App Control โ†’ Monitor only / Block downloads
CA-016 Session Frequency โ€” Sensitive Apps
MediumP1
โ–พ
Limit session length for sensitive applications โ€” force re-authentication every X hours.
SettingValue
Cloud AppsAzure Portal, Exchange Admin, SharePoint Admin, Security portals
Session โ†’ Sign-in Frequency1 hour (for admins), 8 hours (for all users)
Session โ†’ Persistent BrowserNever persistent

โšก Risk-Based Policies (P2)

โ„น๏ธ
Requires Entra ID Protection (P2)

Risk-based policies require Microsoft Entra ID Protection โ€” included in M365 E5, EMS E5, Entra ID P2.

CA-030 Block High Sign-in Risk
RequiredP2
โ–พ
Block sign-ins with high risk โ€” such as Impossible travel, Anonymous IP, Malware-linked IP.
SettingValue
UsersAll users โ€” Exclude: BreakGlass
Cloud AppsAll cloud apps
Conditions โ†’ Sign-in RiskHigh
GrantBlock access
CA-031 Require MFA โ€” Medium Sign-in Risk
HighP2
โ–พ
Require strong, phishing-resistant MFA (FIDO2 / Authenticator) for medium-risk sign-ins.
SettingValue
Conditions โ†’ Sign-in RiskMedium
GrantRequire MFA (Authentication Strength: Phishing-resistant MFA)
CA-032 Block High User Risk + Force Password Change
RequiredP2
โ–พ
Account with high user risk (leaked credentials) โ€” require password change via SSPR.
SettingValue
Conditions โ†’ User RiskHigh
GrantRequire password change + Require MFA
โœ…
SSPR Must Be Enabled

Self-Service Password Reset must be enabled so users can reset their password and unblock themselves without calling the helpdesk.

๐Ÿ›ก๏ธ Admin Policies

CA-020 Require Phishing-Resistant MFA โ€” All Admins
RequiredP1
โ–พ
Admins are the primary target of attacks. Require strong, phishing-resistant MFA (FIDO2, Windows Hello, Certificate-based).
SettingValue
UsersDirectory roles: Global Admin, Privileged Role Admin, Security Admin, Exchange Admin, SharePoint Admin, Compliance Admin, Billing Admin, Authentication Admin + all other privileged roles
Cloud AppsAll cloud apps
GrantRequire Authentication Strength: Phishing-resistant MFA
CA-021 Require Compliant Device โ€” Admin Portals
HighP1
โ–พ
Admins should only operate from managed, compliant devices. Privileged Access Workstations (PAW) is the ideal.
SettingValue
UsersDirectory roles (all privileged roles)
Cloud AppsMicrosoft Admin Portals (Azure Portal, M365 Admin, Entra)
GrantRequire Compliant Device OR Require Hybrid AD Joined
CA-022 Block Admin Access from Non-Corporate Locations
MediumP1
โ–พ
Admins manage only from the corporate network (Trusted Location) โ€” external access requires VPN first.
SettingValue
UsersDirectory roles
Cloud AppsMicrosoft Admin Portals
Conditions โ†’ LocationsAll locations โ€” Exclude: Trusted Locations (Corporate IPs)
GrantBlock access (outside Trusted Location)

๐Ÿ”’ Data Protection & Additional Policies

CA-040 Block Access from Blocked Countries
HighP1
โ–พ
Block access from countries where you don't expect legitimate sign-ins.
SettingValue
UsersAll users
Cloud AppsAll cloud apps
Conditions โ†’ LocationsNamed Location: Blocked Countries
GrantBlock access
CA-041 Require MFA โ€” Azure Management
RequiredP1
โ–พ
All access to Azure Portal, Azure CLI, PowerShell โ€” requires MFA, even if CA-001 already covers it. Defense in depth.
SettingValue
Cloud AppsMicrosoft Azure Management
GrantRequire MFA
CA-042 Block Device Code Flow
HighP1
โ–พ
Device Code Flow can be exploited for token theft (Device Code Phishing). Block if there's no legitimate use case.
SettingValue
Conditions โ†’ Authentication FlowsDevice code flow
GrantBlock access

๐Ÿ“Š KQL Queries โ€” Monitoring & Analysis

Sign-ins Blocked by CA Policies

Sign-in Blocks by CA Policy
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "53003" // CA block
| mv-expand ConditionalAccessPolicies
| extend
    PolicyName = tostring(ConditionalAccessPolicies.displayName),
    PolicyResult = tostring(ConditionalAccessPolicies.result)
| where PolicyResult == "failure"
| summarize BlockCount = count() by PolicyName, UserPrincipalName
| sort by BlockCount desc

Report-Only Analysis โ€” What Would Have Been Blocked

Report-Only Would-Have-Blocked
SigninLogs
| where TimeGenerated > ago(14d)
| mv-expand ConditionalAccessPolicies
| extend
    PolicyName = tostring(ConditionalAccessPolicies.displayName),
    PolicyResult = tostring(ConditionalAccessPolicies.result)
| where PolicyResult == "reportOnlyFailure"
| summarize WouldBlock = count() by PolicyName, UserPrincipalName, AppDisplayName
| sort by WouldBlock desc

Legacy Authentication Usage

Legacy Auth โ€” Who's Still Using It?
SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed in ("Exchange ActiveSync", "IMAP4", "MAPI", "POP3", "SMTP", "Other clients")
| where ResultType == "0" // successful sign-ins only
| summarize Count = count(), LastSeen = max(TimeGenerated)
    by UserPrincipalName, ClientAppUsed, AppDisplayName
| sort by Count desc

MFA Failures โ€” Brute Force Detection

MFA Failures per User
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType in ("50074", "50076", "500121") // MFA required/failed
| summarize Failures = count(), Locations = make_set(Location)
    by UserPrincipalName, IPAddress
| where Failures > 5
| sort by Failures desc

Risky Sign-ins

Sign-in Risk โ€” High/Medium
SigninLogs
| where TimeGenerated > ago(7d)
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn,
           RiskDetail, IPAddress, Location, AppDisplayName, ResultType
| sort by TimeGenerated desc

Policy Coverage Gaps โ€” Sign-ins with No CA Policy Applied

No CA Policy Applied
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "0"
| where array_length(ConditionalAccessPolicies) == 0
| where UserType == "Member"
| summarize Count = count() by UserPrincipalName, AppDisplayName
| sort by Count desc

โœ… Conditional Access Checklist

Progress:
0 / 0

๐Ÿ—๏ธ Preparation

  • Created 2 Break Glass Accounts using *.onmicrosoft.com domainRequired
  • Created CA-BreakGlass-Exclude group and excluded it from every policyRequired
  • Configured Log Analytics alert for every Break Glass sign-inHigh
  • All new policies start in Report-Only mode for at least 7 daysRequired
  • Checked Sign-in Logs before blocking Legacy AuthenticationHigh
  • Configured Named Location for Corporate Office IPs
  • Configured Named Location for Blocked Countries
  • MFA Registration Policy enabled โ€” all users registeredRequired
  • ๐Ÿ” Baseline Policies

  • CA-001 โ€” Require MFA All Users is EnabledRequired
  • CA-002 โ€” Block Legacy Auth is EnabledRequired
  • CA-003 โ€” Block Unknown Platforms is Enabled
  • ๐Ÿ’ป Device Policies

  • CA-010 โ€” Require Compliant Device for Office 365High
  • CA-011 โ€” App Protection Policy for Mobile
  • Intune Enrollment Profile configured for all platformsHigh
  • ๐Ÿ›ก๏ธ Admin Policies

  • CA-020 โ€” Phishing-Resistant MFA for all AdminsRequired
  • CA-021 โ€” Compliant Device for Admin PortalsHigh
  • CA-022 โ€” Restrict Admin Access from External Locations
  • All admins have FIDO2 / Windows Hello For BusinessHigh
  • โšก Risk-Based (P2)

  • CA-030 โ€” Block High Sign-in Risk is EnabledP2
  • CA-031 โ€” MFA for Medium Sign-in Risk is EnabledP2
  • CA-032 โ€” Password Change on High User Risk is EnabledP2
  • SSPR enabled for all usersP2
  • ๐Ÿ”’ Additional

  • CA-040 โ€” Block Blocked Countries is Enabled
  • CA-041 โ€” Require MFA for Azure ManagementRequired
  • CA-042 โ€” Block Device Code FlowHigh
  • All policy names follow the Naming Convention
  • KQL Queries configured in Log Analytics / Sentinel
  • What If tool tested before every new policy enforcement