Conditional Access Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering Conditional Access Policies in Microsoft Entra
Introduction: The New Perimeter of Identity
In the traditional era of network security, we relied on the "castle and moat" approach. If you were inside the office network, you were trusted; if you were outside, you were blocked. However, as organizations have moved to cloud-based services and remote work has become the standard, that physical perimeter has vanished. Today, the identity of the user is the new perimeter. Protecting that identity is no longer just about a strong password, but about understanding the context of every single login attempt.
Conditional Access (CA) policies serve as the primary engine for this identity-centric security model in Microsoft Entra ID. At its core, Conditional Access is a decision-making engine that evaluates signals—such as who the user is, where they are, what device they are using, and what application they are trying to access—to enforce security requirements in real-time. Instead of a binary "allow or deny" approach, CA allows organizations to apply granular controls, such as requiring multi-factor authentication (MFA) only when a user travels to a high-risk country or blocking access entirely if a device is known to be infected with malware.
Understanding Conditional Access is critical for any IT professional because it provides the flexibility to balance user productivity with security. If you make security too restrictive, users will find ways to bypass it, which creates "shadow IT" and increases risk. If you make it too loose, you leave the organization vulnerable to credential theft and unauthorized data access. Mastering these policies allows you to create a "just-enough-access" environment that adapts to the modern, fluid workplace.
The Mechanics of Conditional Access: How it Works
To understand how Conditional Access functions, it helps to visualize it as an "if-then" statement. The system evaluates a set of signals (the "if") and then applies specific controls (the "then"). This evaluation happens during the authentication process, meaning the policy is applied before the user is ever granted access to the requested resource.
The Signal Phase (The "If")
The signals are the data points that the Entra ID service collects during the authentication attempt. These signals include:
- User or Group Membership: Who is the user? Are they part of the finance department, or are they a guest user from a partner organization?
- IP Address Location: Where is the request coming from? Is it a trusted office network, or a public Wi-Fi in an unfamiliar region?
- Device Platform and State: Is the user on a managed Windows laptop, an unmanaged personal phone, or a Linux machine? Is the device compliant with your organization’s security policies?
- Application Sensitivity: What resource is being accessed? Accessing a public marketing site might have different requirements than accessing a database containing sensitive customer PII.
- Risk Scores: Microsoft’s Identity Protection engine calculates a real-time risk score based on leaked credentials, impossible travel patterns, or unusual sign-in activity.
The Decision Phase (The "Then")
Once the signals are gathered, the Conditional Access policy determines the outcome. The outcomes generally fall into three categories:
- Block Access: The most restrictive outcome, used when the risk is too high or the conditions are completely unacceptable.
- Grant Access with Requirements: The user is allowed in, but only after satisfying specific conditions like MFA, password changes, or device compliance verification.
- Session Controls: These allow you to limit the experience after access is granted. For example, you can force a session to be browser-only or restrict the ability to download files from an application.
Callout: Conditional Access vs. Identity Protection It is common to confuse Conditional Access with Identity Protection. Think of Identity Protection as the "intelligence" that detects suspicious activity (e.g., "This user is logging in from a dark-web-leaked password"). Think of Conditional Access as the "enforcement" mechanism that takes that intelligence and says, "Because the risk is high, I will force an MFA challenge." They work together to create a cohesive security posture.
Designing and Implementing Policies
Implementing Conditional Access is not a "set it and forget it" task. It requires careful planning to ensure you do not accidentally lock yourself or your users out of the system.
Step-by-Step Implementation Guide
- Identify the Scope: Before creating a policy, clearly define the users, applications, and conditions. Do not start by applying a global policy to all users. Start with a small pilot group to test the logic.
- Define the Assignments: In the Azure/Entra portal, select the users or groups you want to target. Always exclude at least one break-glass (emergency access) account to ensure you can regain access if a policy misconfiguration causes a lockout.
- Configure Conditions: Select the specific conditions that trigger the policy. For example, if you want to enforce MFA for all external access, you would select "Any location" for the include list and "All trusted locations" for the exclude list.
- Define Access Controls: Choose the "Grant" or "Block" options. If you choose "Grant," you must specify the requirements, such as requiring an MFA challenge or requiring a compliant device.
- Test in Report-Only Mode: This is the most important step. Microsoft allows you to run policies in "Report-only" mode. This lets you see the impact of the policy on your environment without actually blocking anyone. Use this to verify that your policy hits the right users and applications.
Practical Example: Enforcing MFA for External Access
Imagine you want to ensure that any user accessing company resources from outside the corporate office must use MFA.
- Assignment: All Users.
- Conditions: Locations -> Any location (Include), Selected locations (Trusted office IP ranges) (Exclude).
- Grant Control: Grant access, require Multi-Factor Authentication.
This policy effectively creates a perimeter that moves with the user. When they are at the office, the location condition excludes them from the MFA requirement. As soon as they move to a coffee shop or home, the location condition no longer matches the exclusion, and the policy triggers an MFA prompt.
Advanced Scenarios and Session Controls
Conditional Access goes beyond just granting access. With session controls, you can manage the user experience even after they have logged in.
App-Enforced Restrictions
If you have applications that support app-enforced restrictions (like SharePoint Online or Exchange Online), you can use Conditional Access to limit the session. This is particularly useful for unmanaged devices. You could allow a user to check their email on a personal phone, but prevent them from downloading attachments by using the "Use app-enforced restrictions" session control.
Continuous Access Evaluation (CAE)
Historically, Conditional Access policies were only evaluated at the start of a session. If a user was granted access and their risk level changed ten minutes later, the system wouldn't know until the token expired. Continuous Access Evaluation changes this by allowing services to react to critical events in real-time. If a user is disabled or their password is reset, the session is revoked immediately, regardless of the token's remaining lifespan.
Note: Always ensure your applications are compatible with Continuous Access Evaluation. Most modern Microsoft 365 services support it natively, but custom-built applications or older legacy apps might require specific configurations or might not support it at all.
Best Practices and Industry Standards
Managing Conditional Access at scale requires a disciplined approach. Follow these industry-standard best practices to keep your environment secure and manageable.
1. The "Break-Glass" Account
Always, and I mean always, have at least two cloud-only accounts with Global Administrator rights that are excluded from your Conditional Access policies. These accounts should be kept in a secure location (like a physical safe) and have long, complex passwords. If your Conditional Access policy is misconfigured and blocks everyone, these accounts are your only path back into the system.
2. Start with Templates
Microsoft provides several templates for common scenarios, such as "Require MFA for admins" or "Block legacy authentication." Use these as a starting point. They are built on proven security configurations and save you from reinventing the wheel.
3. Avoid Over-Complexity
It is tempting to create a unique policy for every single department or application. This is a trap. The more policies you have, the harder it is to troubleshoot when something goes wrong. Try to consolidate policies where possible, using groups to manage assignment rather than creating separate policies for every scenario.
4. Monitor and Audit
Use the "Sign-in logs" in the Entra portal to monitor the impact of your policies. When a user fails to gain access, the sign-in log will tell you exactly which policy was triggered and why. This is your primary tool for troubleshooting and refining your security posture.
5. Prioritize Legacy Authentication Blocking
Legacy authentication protocols (like POP, IMAP, or SMTP) do not support modern MFA. Attackers love these protocols because they allow them to bypass MFA challenges entirely. Creating a policy to block legacy authentication for all users should be one of your very first actions in any organization.
Common Pitfalls and How to Avoid Them
Even experienced administrators can get tripped up by the nuances of Conditional Access. Here are the most common mistakes and how to steer clear of them.
Pitfall 1: Excluding the Wrong Users
It is easy to accidentally exclude a wide group of users for "testing" and forget to remove that exclusion. This creates a massive security hole.
- Solution: Use naming conventions for your policies, such as "CA_POL_001_MFA_AllUsers." Add a description to the policy that explains exactly who is excluded and why. Periodically review your policy list to ensure exclusions are still valid.
Pitfall 2: Conflicting Policies
If you have two policies that both apply to a user, and one says "Grant Access" while the other says "Block," the "Block" policy will always win. This can lead to confusing scenarios where users are blocked for reasons that are not immediately obvious.
- Solution: Keep your policy logic simple. If you find yourself writing highly complex, overlapping policies, step back and rethink the architecture. Use the "What If" tool in the Entra portal to simulate how policies will apply to a specific user before you save them.
Pitfall 3: Ignoring Guest Users
Many organizations focus solely on their employees. However, guest users (B2B identities) often have access to your internal SharePoint sites or Teams. If they have weak passwords and no MFA, they are an easy entry point for attackers.
- Solution: Apply your core MFA policies to "All users," which includes guests. You can then use specific conditions to tailor the experience for guests if necessary.
Pitfall 4: Misunderstanding "Report-Only"
Sometimes administrators run a policy in "Report-only" mode but fail to check the logs. They assume that because they haven't received helpdesk tickets, everything is fine.
- Solution: Treat "Report-only" as a testing phase. Look at the data in the Entra monitoring tools to see who would have been blocked. Only switch to "On" once you have confirmed the policy behavior matches your expectations.
Quick Reference: Conditional Access Components
| Component | Description |
|---|---|
| Assignments | Defines who is affected (Users/Groups) and what is affected (Cloud Apps/Actions). |
| Conditions | Defines when the policy triggers (Location, Device State, Risk, Platform). |
| Grant Controls | Defines the outcome if conditions match (Block vs. Require MFA/Compliance). |
| Session Controls | Defines the behavior after access (App-enforced restrictions, sign-in frequency). |
| Report-Only | Allows testing policies without enforcing them; logs the outcome for analysis. |
Deep Dive: The Logic of "Grant" vs. "Require All"
When configuring the "Grant" control, you are often presented with a choice: "Require all selected controls" or "Require one of the selected controls." This is a critical distinction that changes the security behavior of the entire policy.
If you select "Require all selected controls," the user must pass every single check. For example, if you require MFA and a compliant device, the user cannot get in if they have MFA but are using a non-compliant device. This is the "high-security" setting.
If you select "Require one of the selected controls," the user can choose the path of least resistance. For example, if you list "MFA" and "Compliant Device" as options, a user could gain access by simply completing MFA, even if their device is not managed. This is rarely the desired outcome for security-focused policies.
Warning: Be extremely careful when using the "Require one of the selected controls" option. It is almost always better to force the most secure path (Require all) unless you have a specific business requirement that necessitates flexibility.
Code-Based Automation: Managing Policies with Graph API
While the Entra portal is excellent for manual configuration, enterprise environments often require the ability to deploy and manage policies as code. You can use the Microsoft Graph API to manage Conditional Access policies, which allows for version control and repeatable deployments.
Below is a conceptual example of how you might use PowerShell with the Microsoft Graph SDK to list your current policies.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.Read.All"
# List all Conditional Access Policies
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, CreatedDateTime
# Example: Get details for a specific policy
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "your-policy-id-here"
Why Infrastructure as Code (IaC) Matters
Managing policies through code ensures that you have a historical record of who changed a policy, when they changed it, and what the previous state was. If you accidentally break a policy in the portal, it can be difficult to revert to the previous settings. With code, you can keep your policies in a repository (like GitHub or Azure DevOps) and use CI/CD pipelines to deploy them.
Best Practices for Policy Automation
- Version Control: Store all your policy definitions in a source control system.
- Peer Review: Require a pull request and approval from another admin before any policy change is merged and deployed.
- Audit Trails: Use the logs generated by your CI/CD pipeline to track deployment history.
- Dry Runs: Even when using automation, ensure your script includes logic to validate the policy configuration before attempting a full deployment.
The Role of Device Compliance
Conditional Access is most effective when paired with a device management solution like Microsoft Intune. When a device is managed by Intune, it reports its status back to Entra ID. This allows you to create policies such as "Only allow access to corporate data if the device has BitLocker enabled and the OS is up to date."
This is the bridge between identity security and endpoint security. Without device compliance data, you are essentially "blind" to the health of the machine being used to access your data. By requiring compliant devices, you ensure that even if a user’s credentials are stolen, the attacker cannot access your systems unless they also have physical access to a company-managed, compliant device.
Integrating Intune and Entra
- Enroll Devices: Ensure all company devices are enrolled in Intune.
- Define Compliance Policies: Create compliance policies in Intune (e.g., "Require password," "Require encryption").
- Conditional Access Integration: In your Conditional Access policy, select "Require device to be marked as compliant" under the "Grant" settings.
- Verification: When a user logs in, Entra checks with Intune. If Intune says the device is compliant, the user is granted access. If not, the user is denied or prompted to remediate the device (e.g., install a security update).
Managing Legacy Authentication: A Closer Look
Legacy authentication is a broad term that covers older protocols that do not support modern authentication methods like MFA or certificate-based authentication. These protocols are the primary vector for "password spraying" attacks, where an attacker tries a common password against thousands of accounts across many different services.
Because legacy protocols do not pass the "modern" signals to the identity provider, Conditional Access policies that require MFA are effectively bypassed. The only way to stop this is to block the protocols entirely.
How to Identify Legacy Auth Usage
Before you flip the switch to block legacy auth, you must identify if any of your users still rely on it.
- Go to the Entra Sign-in logs.
- Filter the view to show "Client App" types.
- Look for entries labeled as "Other clients" or specific legacy protocols like "Exchange ActiveSync" or "IMAP."
- Export this data to analyze which users or applications are still using these methods.
Once you have identified the culprits, reach out to them and guide them toward modern clients (e.g., moving from the built-in mail app on an older phone to the Outlook mobile app). Once the usage has dropped to zero, apply the "Block Legacy Authentication" policy.
Common Questions (FAQ)
Q: Can I use Conditional Access for B2B guest users?
A: Yes. Conditional Access policies apply to any identity authenticated by your tenant, including guest users. You can create specific policies for guests, such as requiring MFA for all guest access, which is highly recommended for security.
Q: What happens if the Entra service goes down?
A: Conditional Access policies are enforced by the service. If the service is unreachable, the default behavior is typically to fail-closed (deny access) for security reasons. This is why having a robust identity strategy and understanding your dependencies is vital.
Q: How many policies should I have?
A: There is no "magic number." However, most organizations find that they can achieve a high level of security with 5 to 10 well-structured policies. If you have 50+ policies, you are likely over-complicating your environment and making it difficult to maintain.
Q: Does Conditional Access work for non-Microsoft apps?
A: Yes, if the application is integrated with Entra ID for Single Sign-On (SSO) or if it is behind an Application Proxy. If the app uses SAML or OIDC, it can be governed by Conditional Access.
Key Takeaways for Success
Mastering Conditional Access is a journey that shifts your security focus from the network to the individual user. As you implement these policies in your organization, remember these fundamental principles:
- Identity is the New Perimeter: Treat every login as a unique event that requires validation. Never assume that a user is "safe" just because they are on your office Wi-Fi.
- Prioritize the Break-Glass Account: Never implement a policy without a verified, excluded emergency access account. This is the single most important step to prevent self-inflicted lockouts.
- Test, Then Enforce: Always utilize "Report-only" mode and the "What If" tool to simulate the effects of your policies before moving them to production.
- Use Modern Authentication: Block legacy protocols as soon as possible. They are a significant security liability and provide no benefit in a modern, cloud-first environment.
- Simplify and Consolidate: Avoid the urge to create a policy for every edge case. Use groups and clear naming conventions to keep your policy set lean, manageable, and easy to audit.
- Monitor Continuously: Conditional Access is not a set-and-forget task. Regularly review your sign-in logs to see how your policies are performing and to identify any new, unexpected patterns of access.
- Integrate with Endpoint Health: Use device compliance signals to ensure that only healthy, managed devices can access sensitive data. This adds a critical layer of protection against compromised hardware.
By following these practices, you will move from a reactive security stance to a proactive one, ensuring that your organization remains secure while providing the flexibility that modern users demand. The transition to a Conditional Access-based model is one of the most effective ways to harden your identity infrastructure against the evolving landscape of cyber threats. Stay curious, test often, and keep your security configurations simple and transparent.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons