Introduction
In today’s dynamic digital landscape, crafting a robust Conditional Access (CA) deployment is pivotal for securing your organization’s apps and resources. Microsoft Entra ID's Conditional Access policies offer extensive configuration options, allowing organizations to tailor access controls precisely. However, this flexibility requires meticulous planning to prevent unintended consequences.
Understanding Conditional Access
The modern security perimeter now includes user and device identities, requiring identity-driven signals for access control. Microsoft Entra Conditional Access centralizes these signals to enforce organizational policies, forming the backbone of Microsoft’s Zero Trust policy engine. Conditional Access policies operate on simple if-then logic: if a user wants to access a resource, they must perform a specified action, such as multifactor authentication.
Administrators have two main goals: empower user productivity and protect organizational assets. Conditional Access helps achieve this by applying the right controls at the right time, balancing security with productivity.
Key Point: Conditional Access is crucial to Microsoft’s Zero Trust framework. While Entra Tenant security defaults provide basic protection, Conditional Access offers granular control, allowing for tailored security beyond default settings.
Conditional Access policies are applied after the first factor of authentication is completed. While Conditional Access is not designed to be the primary defense against scenarios like denial-of-service (DoS) attacks, it can utilize signals from such events to inform access decisions.
Prerequisites for Effective Deployment
To set up Conditional Access, ensure you meet the following prerequisites:
1. Microsoft Entra Tenant: A working tenant with Microsoft Entra ID P1, P2, or a trial license. Microsoft Entra ID P2 is essential for integrating Microsoft Entra ID Protection risk into Conditional Access policies.
2. Administrative Roles:
- Global Admin or Conditional Access Administrator: For creating or modifying policies.
- Security Reader: For reading policies and configurations.(Optionally for Policy review without Grading High privileged roles)
3. Required User\Groups: Needs to be identified to Target the policy Assignments/Exclusions
Core Components of Conditional Access Policies
Conditional Access policies operate on the principle of if-then scenarios:
- If Assignment Met: Apply the access controls.
- Example: If a HR user accesses the HR app, require multi-factor authentication (MFA) and a compliant device.
- Example: If a user is not a HR member accessing HR App, block access.
Policies can be designed to grant access, enforce session controls, or block access based on these conditions.
Exclusions to Consider
While you create powerful Conditional Access policies, it should exclude:
- Emergency Access Accounts: Essential for recovering access in case of a tenant-wide lockout.
- Service Accounts and Principals: Typically non-interactive and unable to complete MFA.
Note: Consider replacing these accounts with managed identities or temporarily excluding them from your Tenant baseline CA policies.
Best Practices for Conditional Access in Entra ID
1. Apply Policies to All Apps: Create comprehensive policies for all cloud apps and exclude exceptions. This ensures consistent application and reduces administrative overhead.
2. Minimize Policy Count: Avoid creating excessive individual policies. Group apps with similar requirements into single policies to stay within the 195-policy limit and simplify management.
3. Use Report-Only Mode: Test policies using report-only mode to assess impact before full deployment. Leverage the sign-in logs and Conditional Access insights for evaluation.
4.Set naming standards for your policies: A consistent naming standard makes it easier to identify policies and understand their function without needing to open them in the Entra admin portal. Microsoft suggest naming your policies to include: A sequence number, The cloud apps, The policy applies to, The intended response, The target users or groups, The conditions under which it applies.
Example Policy:
CA01 - Dynamics ERP: Require MFA For Marketing When On External Networks
Syntax:
<CA01> - <Dynamics ERP>: <Require MFA> For <Marketing> When <On External Networks>
In this syntax:
<CA01> represents the unique identifier or name of the policy.
<Dynamics ERP> specifies the cloud application or service the policy applies to.
<Require MFA> indicates the action to be taken, in this case, requiring multi-factor authentication.
<Marketing> identifies the group or role that the policy targets.
<On External Networks> describes the condition under which the policy is enforced.
This format provides a clear and consistent way to document and implement Conditional Access policies.
5. Plan for Disruptions: Develop resilience strategies and naming standards for emergency policies. For instance, policies with names like EM01 - ENABLE IN EMERGENCY: MFA Disruption [1/4] -Exchange SharePoint Entra hybrid join For VIP users .It helps in identifying and prioritizing emergency actions.
6. Block Unnecessary Regions: Use named locations to block sign-ins from regions where you do not expect legitimate access.
Top 25 Conditional Access policies
CA001-Require MFA for administrators
- Global Administrator
- Application Administrator
- Authentication Administrator
- Billing Administrator
- Cloud Application Administrator
- Conditional Access Administrator
- Exchange Administrator
- Helpdesk Administrator
- Password Administrator
- Privileged Authentication Administrator
- Privileged Role Administrator
- Security Administrator
- SharePoint Administrator
- User Administrator
User Exclusions:
- Emergency access or break-glass accounts to prevent a tenant-wide lockout.
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
Note: 1. Calls made by service principals are not blocked by Conditional Access policies scoped to users. To secure service principals, use Conditional Access for workload identities, which requires an Entra Workload Identities License, to define policies targeting these identities.
CA002-Require phishing-resistant multifactor authentication for administrators
- Service accounts and service principals
CA003-Allow security info registration from All Trusted Locations
- Require all the selected controls
- Require one of the selected controls
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA004-Block Guest/External Users security info registration outside trusted Networks
CA005-Block legacy authentication
CA006-Require multifactor authentication for guest access
CA007-Require MFA for all users
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
- Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f.
CA008-Require MFA for Azure management
Organizations often use various Azure services and manage them through Azure Resource Manager-based tools such as:
- Azure portal
- Azure PowerShell
- Azure CLI
These tools grant highly privileged access to resources, allowing users to make significant changes, including:
- Modifying subscription-wide configurations
- Adjusting service settings
- Managing subscription billing
To protect these sensitive resources, Microsoft strongly recommends requiring multifactor authentication (MFA) for any user accessing them. In Microsoft Entra ID, these tools are grouped under the Windows Azure Service Management API suite. For Azure Government, the equivalent suite is the Azure Government Cloud Management API app. When you target the Windows Azure Service Management API application, the policy is enforced for tokens issued to a set of services closely integrated with the portal, which includes the application IDs for:
- Azure Resource Manager
- Azure portal, including the Microsoft Entra admin center
- Azure Data Lake
- Application Insights API
- Log Analytics API
Because this policy is applied to the Azure management portal and API, it can indirectly affect services or clients that depend on the Azure API. For example:
- Azure CLI
- Azure Data Factory portal
- Azure DevOps
- Azure Event Hubs
- Azure PowerShell
- Azure Service Bus
- Azure SQL Database
- Azure Synapse
- Classic deployment model APIs
- Microsoft 365 admin center
- Microsoft IoT Central
- SQL Managed Instance
- Visual Studio subscriptions administrator portal
Note: The Windows Azure Service Management API application applies to Azure PowerShell, which interacts with the Azure Resource Manager API. However, it does not apply to Microsoft Graph PowerShell, which interacts with the Microsoft Graph API.
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA009-Sign-in risk-based multifactor authentication
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA010-User risk-based password change
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA011-Block access for users with insider risk
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA012-Requires Compliant Device
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
- Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f.
CA013-Require compliant or Microsoft Entra hybrid joined device for administrators
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
- Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f.
CA014-Block access for unknown or unsupported device platform
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA015-Require approved client apps or app protection policy
With Conditional Access, organizations can restrict access to approved client apps that support modern authentication, using Intune app protection policies. For older client apps that don't support app protection policies, administrators can limit access to only those approved apps. App protection policies are supported on iOS and Android for applications that meet specific requirements. On Windows, these policies are currently in preview and only supported for the Microsoft Edge browser.
It's important to note that not all applications supported as approved apps or those supporting app protection policies will enforce the "Require one of the selected controls" option under grant controls. This option functions as an OR clause within the policy, allowing users to access apps that support either the "Require app protection policy" or "Require approved client app" grant controls. The "Require app protection policy" is enforced when the app supports this specific grant control.
Application Exclusion
The Microsoft Intune/Intune Enrollment Application should be excluded from this policy.
CA016-Require an app protection policy on Windows devices
Windows MAM leverages Intune Application Configuration Policies (ACP), Intune Application Protection Policies (APP), Windows Security Center client threat defense, and Application Protection Conditional Access to secure data on unmanaged devices. If a device is already managed, Intune MAM enrollment will be blocked, and APP settings will not be applied. Similarly, if a device becomes managed after MAM enrollment, APP settings will cease to apply.
There are two main categories of app protection policy settings for Windows:
- Data protection
- Health checks
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA017 Require reauthentication and disable browser persistence on Unmanaged Device
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA018-Require a compliant device, Microsoft Entra hybrid joined device for all users
- Requiring a PIN for device unlock
- Requiring device encryption
- Enforcing a minimum or maximum operating system version
- Ensuring the device is not jailbroken or rooted
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
- Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f.
CA019-Use application(EXO,SPO,OFB) enforced restrictions for unmanaged devices
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA020-Require multifactor authentication for device registration
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA021-Block access based on network location
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA022-Require an authentication strength for external users
- If MFA trust is enabled, Microsoft Entra ID verifies if the user’s home tenant session has a claim that MFA was completed.
- If MFA trust is disabled, the resource tenant requires the user to complete MFA in the resource tenant using an approved method.
CA023-Require terms of use to be accepted before accessing Microsoft Admin Portals
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA024-Block Device Code flows for All users
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA025-Block Authentication transfer flows for All users
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. These are non-interactive accounts that are not associated with any specific user.
CA Policy Deployment and Testing
Phased Deployment: Implement policies gradually to monitor their impact and ensure they work as intended. Utilize the CA policy Report-Only Mode to assess potential effects, using Entra Sign-in logs, which can be forwarded to Log Analytics. The Conditional Access insights and reporting workbook helps you understand the long-term impact of these policies in your organization.
Testing: Conduct comprehensive testing with test users, covering various scenarios such as risky sign-ins and device management. Compare the actual results with your expected outcomes.
Roll Back: If necessary, disable or exclude users from policies. Use exclusions carefully, and aim to re-enable policies as quickly as possible.
To create a Conditional Access policy, sign in to the Microsoft Entra Admin Center, navigate to Protection > Conditional Access, and then select Policies
At the top of the menu, you will find options for New Policy, New Policy Template, and Upload Policy File. You can use any of these methods to create a Conditional Access policy.
If you select New Policy, you will need to configure each setting according to your specific requirements, as highlighted in the screenshot below.
Lets Check each CA Policy options
1. Policy Name: Follow the policy naming standards we discussed at the beginning of the blog.
Example:
2.Users or Workload IdentitiesIdentities in the directory that the policy applies to ,including users ,groups and service principals
Note: Entra Workload identity license is required for configuring CA policy for Workload identities
In the example below, Directory Roles have been selected, but you can also choose to apply the policy to users, groups, and even guest and external users. Similarly, you can make selections in the Exclude tab as well.
The option shown below will become visible if you choose Workload Identities, allowing you to add your Service Principals.
This section is where you can target your Cloud Apps, User Actions, Global Secure Access, and Authentication Context according to your policy requirements.
You can choose All Cloud Apps or select required cloud AppsUnder User Actions, you have options such as Register security information and Register or Join Devices.
Under Global Secure Access, there are three traffic profiles available:
- Microsoft 365 Traffic
- Internet Traffic
- Private Traffic
Under Authentication Context, any authentication context created for specific needs will appear here. In our case, we don't have any created at this time.4. Network: The Network section is where you typically select your trusted network locations, GPS coordinates, IP ranges, and other relevant Network settings.
Previously, the Network section was part of the policy conditions, but with the recent launch of Global Secure Access, Microsoft has moved this option to be directly visible in the main policy menu.
The configuration of Network IP Ranges was discussed earlier in this blog. For guidance on creating Trusted Network ranges, you can refer to those steps.
5. Conditions: The Conditions section is a crucial part of configuring Conditional Access policies, offering various condition types to tailor policies to specific needs. These conditions include:
I. User Risk: Based on User Risk signal level, policy will be applied.
II. Sign-in Risk: Based on User Sign-in Risk signal level, policy will be applied
III. Insider Risk: Insider risk assesses the user's risky data-related activity in Microsoft Purview Insider Risk Management.
IV. Device Platforms: To Target policy to different device platforms
V. Client Apps: Control user access to target specific client applications
VI. Filter for Devices: Configure a filter to apply policy to specific devices
VII. Authentication Flows (Preview): Control how your organization uses certain authentication and authorization protocols and grants6. Grant: This is the policy option where you determine the final outcome—whether to block access or select additional requirements that must be met to allow access.
Here are the Conditional Access Policy Grant options:
- Require multifactor authentication :
User must complete additional security requirements like phone call, text- Require authentication strength
Users must use specific authentication methods, based on the authentication strength policies applied
- Require device to be marked as compliant
Device must be Intune compliant. If the device is non-compliant, the user will be prompted to bring the device under compliance
- Require Microsoft Entra hybrid joined device
Devices must be Microsoft Entra hybrid joined
- Require approved client app
Device must use approved client applications from Microsoft
[The approved client app grant is retiring in early March 2026. Organizations must transition all current Conditional Access policies that use only the Require Approved Client App grant control to Require Approved Client App or Application Protection Policy by March 2026. Additionally, for any new Conditional Access policy, only apply the Require application protection policy grant.
After March 2026, Microsoft will stop enforcing require approved client app control, and it will be as if this grant isn't selected. Use the following steps before March 2026 to protect your organization’s data.]
- Require app protection policy
Device must use policy protected apps from Intune applicable to iOS,Android, Windows Edge in preview(BYOD)
- Require password change
Require password change to lower user risk. This option also requires multifactor authentication or authentication strength controls. Other controls can't be used
- M365 Demo (Terms of use, Admin created)
Organization Custom Terms of Use for user to Accept
Admin can choose Require all the selected Controls or Require on of the selected controls while defining the policy
These options define the conditions that must be met to grant access under the policy.
7.Session: Control access based on session controls to enable limited experiences within specific cloud applications
- Use app enforced restrictions
Require password change to lower user risk. This option also requires multifactor authentication or authentication strength controls. Other controls can't be used
This control works only with supported apps. Currently, Office 365, Exchange Online, and SharePoint Online are the only cloud apps that support app enforced restrictions.
- Use Conditional Access App Control
To control Cloud Apps using Defender for Cloud Apps
- Sign-in frequency
Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer.
- Persistent browser session
A persistent browser session allows users to remain signed in after closing and reopening their browser window.
- This setting works correctly when "All cloud apps" are selected.
- This does not affect token lifetimes or the sign-in frequency setting.
- This will override the "Show option to stay signed in" policy in Company Branding.
- "Never persistent" will override any persistent SSO claims passed in from federated authentication services.
- "Never persistent" will prevent SSO on mobile devices across applications and between applications and the user's mobile browser.
- Customize continuous access evaluation
Continuous Access Evaluation (CAE) allows access tokens to be revoked based on critical events and policy evaluation in real time rather than relying on token expiration based on lifetime.
- "Disable" works correctly when "All cloud apps" is selected, and no condition has been chosen.
- This setting does not work with report-only mode, but there are pre-published workbooks with data insights.
- Disable resilience defaults
During an outage, Microsoft Entra ID will extend access to existing sessions while enforcing Conditional Access policies. If a policy cannot be evaluated, access is determined by resilience settings. If resilience defaults are disabled, access is denied once existing sessions expire.
- Require token protection for sign-in sessions (Preview)
A secure sign-in session requires all long-lived tokens (the Microsoft Entra session cookie and refresh token) to be bound to the device using software key binding or hardware security module binding where available.
- Use Global Secure Access security profile
Use this option to apply a policy profile for Global Secure Access targeted resources
These session controls allow you to fine-tune how sessions are managed and secured in your organization.
8.Enable Policy: In the Enable Policy section, you can set the Entra ID Conditional Access Policy to Report-only mode. This allows you to validate the policy's impact by reviewing users' sign-in logs without actually enforcing the policy. If you want to activate the policy, select On. To disable the policy, you can choose Off.
Conditional Access policy templates
- Secure foundation
- Zero Trust
- Remote work
- Protect administrator
- Emerging threats
You can find these templates in the Microsoft Entra admin center by navigating to Protection > Conditional Access > Create new policy from templates. Select Show more to view all available templates in each category.
Select the Required Template and choose Review and CreateCreate the policy in Report-only mode first, allowing you to validate its impact without enforcement. After reviewing the results, you can then customize the policy according to your specific needs.
You can also create the CA policy by Uploading JSON-formatted Conditional Access policy file as mentioned in the below screenshots.
Select the JSON file, set the Policy State to Off, and then click Review and Create to finalize the policy.Top 25 Conditional Access Policy Samples
Policy Name
Users or workload identities
Users or workload identities Excluded
Target Resources
Conditions
Access Controls Grant
Session
Enable Policy
CA001 - Require MFA for administrators
Directory roles
Emergency\Break-Glass access accounts
All cloud apps
None
Grant access
Require multifactor authentication
None
Report-Only
CA002 - Require phishing-resistant MFA for administrators
Directory roles
Emergency\Break-Glass access accounts
All cloud apps
None
Grant access
Require authentication strength
Phishing-resistant MFA
None
Report-Only
CA003 - Securing security info registration
All users
All guest and external users
Emergency\Break-Glass access accounts
User actions: Register security information
Locations: Configure Yes
Include: Any location
Exclude: All trusted locations
Grant access
Require multifactor authentication
None
Report-Only
CA004 - Block Guest/External Users security info registration outside trusted Networks
All guest and external users
None
User actions: Register security information
Locations: Configure Yes
Include: Any location
Exclude: All trusted locations
Block access
None
Report-Only
CA005 - Block legacy authentication
All users
Users and groups that require legacy authentication
At least one account to prevent lockout
All cloud apps
Client apps: Configure Yes
Check: Exchange ActiveSync clients, Other clients
Block access
None
Report-Only
CA006 - Require MFA for guest and external users
All guest and external users
Emergency\Break-Glass access accounts
Applications that don't require MFA
All cloud apps
None
Grant access
Require multifactor authentication
None
Report-Only
CA007 - Require MFA for all users
All users
Emergency\Break-Glass access accounts
Applications that don't require MFA
All cloud apps
Locations: Configure Yes
Include: Any location
Exclude: All trusted locations (Optional)
Grant access
Require multifactor authentication
None
Report-Only
CA008 - Require MFA for Azure management
All users
Emergency\Break-Glass access accounts
Select apps: Windows Azure Service Management API
None
Grant access
Require multifactor authentication
None
Report-Only
CA009 - Sign-in risk-based multifactor authentication
All users
Emergency\Break-Glass access accounts
All cloud apps
Sign-in risk: Configure Yes
Levels: High and Medium
Grant access
Require multifactor authentication
Sign-in frequency: Every time
Report-Only
CA010 - User risk-based password change
All users
Emergency\Break-Glass access accounts
All cloud apps
User risk: Configure Yes
Level: High
Grant access
Require multifactor authentication
Require password change
Sign-in frequency: Every time
Report-Only
CA011 - Block access for users with insider risk
All users
Emergency\Break-Glass access accounts
B2B direct connect users
Service provider users
Other external users
All cloud apps
Insider risk: Configure Yes
Level: Elevated
Block access
None
Report-Only
CA012 - Require compliant device
All users
Emergency\Break-Glass access accounts
All cloud apps
None
Require device to be marked as compliant
None
Report-Only
CA013 - Require compliant or Microsoft Entra hybrid joined device for administrators
Directory roles
Emergency\Break-Glass access accounts
All cloud apps
None
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device
Require one of the selected controls
None
Report-Only
CA014 - Block access for unknown or unsupported device platform
All users
Emergency\Break-Glass access accounts
Android, iOS, Windows, and macOS
All cloud apps
Device platforms: Configure Yes
Include: Any device
Exclude: Android, iOS, Windows, macOS
Block access
None
Report-Only
CA015 - Require approved client apps or app protection policy
All users
Emergency\Break-Glass access accounts
At least one account to prevent lockout
All cloud apps
Device platforms: Configure Yes
Include: Android, iOS
Grant access
Require approved client app
Require app protection policy
Require one of the selected controls
None
Report-Only
CA016 - Require an app protection policy on Windows devices
All users
Emergency\Break-Glass access accounts
Office 365
Device platforms: Configure Yes
Include: Windows
Client apps: Configure Yes
Select: Browser only
Grant access
Require app protection policy
Require device to be marked as compliant
Require one of the selected controls
None
Report-Only
CA017 - Require reauthentication and disable browser persistence on Unmanaged Device
All users
Emergency\Break-Glass access accounts
All cloud apps
Filter for devices: Configure Yes
Rule syntax: device.trustType -ne "ServerAD" -or device.isCompliant -ne True
Sign-in frequency: Periodic reauthentication
Persistent browser session: Never persistent
Sign-in frequency: 1 hour
Report-Only
CA018 - Require a compliant device, Microsoft Entra hybrid joined device for all users
All users
Emergency\Break-Glass access accounts
Specific applications (if needed)
All cloud apps
None (unless specific apps are excluded)
Grant access
Require multifactor authentication
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device
Require one of the selected controls
None
Report-Only
CA019 - Use application (EXO, SPO, OFB) enforced restrictions for unmanaged devices
All users
Emergency\Break-Glass access accounts
Select apps: Office 365
None
Use app enforced restrictions
None
Report-Only
CA020 - Require multifactor authentication for device registration
All users
Emergency\Break-Glass access accounts
User actions: Register or join devices
None
Grant access
Require authentication strength
Require multifactor authentication
None
Report-Only
CA021 - Block access based on network location
All users
Emergency\Break-Glass access accounts
All cloud apps
Network: Configure Yes
Include: Selected networks and locations
Select: Blocked location
Block access
None
Report-Only
CA022 - Require an authentication strength for external users
Guest or external users
Emergency\Break-Glass access accounts
Select apps: Selected apps or all apps (as needed)
None
Grant access
Require authentication strength
Select: Built-in or custom authentication strength
None
Report-Only
CA023 - Require terms of use to be accepted before accessing Microsoft Admin Portals
All users
Emergency\Break-Glass access accounts
Select apps: Microsoft Admin Portals
None
Grant access
Require terms of use acceptance
None
Report-Only
CA024 - Block Device Code flows for All users
All users
Emergency\Break-Glass access accounts
All cloud apps or selected apps
Authentication Flows: Configure Yes
Device code flow
Block access
None
Report-Only
CA025 - Block Authentication transfer flows for All users
All users
Emergency\Break-Glass access accounts
All cloud apps or selected apps
Authentication Flows: Configure Yes
Authentication transfer
Block access
None
Enabled
Policy Name | Users or workload identities | Users or workload identities Excluded | Target Resources | Conditions | Access Controls Grant | Session | Enable Policy |
---|---|---|---|---|---|---|---|
CA001 - Require MFA for administrators | Directory roles | Emergency\Break-Glass access accounts | All cloud apps | None | Grant access Require multifactor authentication |
None | Report-Only |
CA002 - Require phishing-resistant MFA for administrators | Directory roles | Emergency\Break-Glass access accounts | All cloud apps | None | Grant access Require authentication strength Phishing-resistant MFA |
None | Report-Only |
CA003 - Securing security info registration | All users | All guest and external users Emergency\Break-Glass access accounts |
User actions: Register security information | Locations: Configure Yes Include: Any location Exclude: All trusted locations |
Grant access Require multifactor authentication |
None | Report-Only |
CA004 - Block Guest/External Users security info registration outside trusted Networks | All guest and external users | None | User actions: Register security information | Locations: Configure Yes Include: Any location Exclude: All trusted locations |
Block access | None | Report-Only |
CA005 - Block legacy authentication | All users | Users and groups that require legacy authentication At least one account to prevent lockout |
All cloud apps | Client apps: Configure Yes Check: Exchange ActiveSync clients, Other clients |
Block access | None | Report-Only |
CA006 - Require MFA for guest and external users | All guest and external users | Emergency\Break-Glass access accounts Applications that don't require MFA |
All cloud apps | None | Grant access Require multifactor authentication |
None | Report-Only |
CA007 - Require MFA for all users | All users | Emergency\Break-Glass access accounts Applications that don't require MFA |
All cloud apps | Locations: Configure Yes Include: Any location Exclude: All trusted locations (Optional) |
Grant access Require multifactor authentication |
None | Report-Only |
CA008 - Require MFA for Azure management | All users | Emergency\Break-Glass access accounts | Select apps: Windows Azure Service Management API | None | Grant access Require multifactor authentication |
None | Report-Only |
CA009 - Sign-in risk-based multifactor authentication | All users | Emergency\Break-Glass access accounts | All cloud apps | Sign-in risk: Configure Yes Levels: High and Medium |
Grant access Require multifactor authentication |
Sign-in frequency: Every time | Report-Only |
CA010 - User risk-based password change | All users | Emergency\Break-Glass access accounts | All cloud apps | User risk: Configure Yes Level: High |
Grant access Require multifactor authentication Require password change |
Sign-in frequency: Every time | Report-Only |
CA011 - Block access for users with insider risk | All users | Emergency\Break-Glass access accounts B2B direct connect users Service provider users Other external users |
All cloud apps | Insider risk: Configure Yes Level: Elevated |
Block access | None | Report-Only |
CA012 - Require compliant device | All users | Emergency\Break-Glass access accounts | All cloud apps | None | Require device to be marked as compliant | None | Report-Only |
CA013 - Require compliant or Microsoft Entra hybrid joined device for administrators | Directory roles | Emergency\Break-Glass access accounts | All cloud apps | None | Require device to be marked as compliant Require Microsoft Entra hybrid joined device Require one of the selected controls |
None | Report-Only |
CA014 - Block access for unknown or unsupported device platform | All users | Emergency\Break-Glass access accounts Android, iOS, Windows, and macOS |
All cloud apps | Device platforms: Configure Yes Include: Any device Exclude: Android, iOS, Windows, macOS |
Block access | None | Report-Only |
CA015 - Require approved client apps or app protection policy | All users | Emergency\Break-Glass access accounts At least one account to prevent lockout |
All cloud apps | Device platforms: Configure Yes Include: Android, iOS |
Grant access Require approved client app Require app protection policy Require one of the selected controls |
None | Report-Only |
CA016 - Require an app protection policy on Windows devices | All users | Emergency\Break-Glass access accounts | Office 365 | Device platforms: Configure Yes Include: Windows Client apps: Configure Yes Select: Browser only |
Grant access Require app protection policy Require device to be marked as compliant Require one of the selected controls |
None | Report-Only |
CA017 - Require reauthentication and disable browser persistence on Unmanaged Device | All users | Emergency\Break-Glass access accounts | All cloud apps | Filter for devices: Configure Yes Rule syntax: device.trustType -ne "ServerAD" -or device.isCompliant -ne True |
Sign-in frequency: Periodic reauthentication Persistent browser session: Never persistent |
Sign-in frequency: 1 hour | Report-Only |
CA018 - Require a compliant device, Microsoft Entra hybrid joined device for all users | All users | Emergency\Break-Glass access accounts Specific applications (if needed) |
All cloud apps | None (unless specific apps are excluded) | Grant access Require multifactor authentication Require device to be marked as compliant Require Microsoft Entra hybrid joined device Require one of the selected controls |
None | Report-Only |
CA019 - Use application (EXO, SPO, OFB) enforced restrictions for unmanaged devices | All users | Emergency\Break-Glass access accounts | Select apps: Office 365 | None | Use app enforced restrictions | None | Report-Only |
CA020 - Require multifactor authentication for device registration | All users | Emergency\Break-Glass access accounts | User actions: Register or join devices | None | Grant access Require authentication strength Require multifactor authentication |
None | Report-Only |
CA021 - Block access based on network location | All users | Emergency\Break-Glass access accounts | All cloud apps | Network: Configure Yes Include: Selected networks and locations Select: Blocked location |
Block access | None | Report-Only |
CA022 - Require an authentication strength for external users | Guest or external users | Emergency\Break-Glass access accounts | Select apps: Selected apps or all apps (as needed) | None | Grant access Require authentication strength Select: Built-in or custom authentication strength |
None | Report-Only |
CA023 - Require terms of use to be accepted before accessing Microsoft Admin Portals | All users | Emergency\Break-Glass access accounts | Select apps: Microsoft Admin Portals | None | Grant access Require terms of use acceptance |
None | Report-Only |
CA024 - Block Device Code flows for All users | All users | Emergency\Break-Glass access accounts | All cloud apps or selected apps | Authentication Flows: Configure Yes Device code flow |
Block access | None | Report-Only |
CA025 - Block Authentication transfer flows for All users | All users | Emergency\Break-Glass access accounts | All cloud apps or selected apps | Authentication Flows: Configure Yes Authentication transfer |
Block access | None | Enabled |
- Required User/Group/Service Account Exclusions should be added to the template according to the organization's needs.
- Required Network Locations should be included as necessary.
- Required Application Exclusions should be configured.
- Authentication Strengths can be created and customized based on the organization's requirements.
- A minimum of at least 2 Break Glass/Emergency accounts should be excluded from the Conditional Access policy.
- Terms of Use documents should be prepared as per the organization’s standards and updated in the Conditional Access policy.
- The What If tool available on the Conditional Access page can be used to validate the policy's impact before full enforcement.
Conclusion
Implementing Microsoft Entra ID Conditional Access policies requires careful planning and execution. By following best practices, testing policies thoroughly, and having a clear communication strategy, you can effectively balance security and productivity, protecting your organization’s resources while ensuring a smooth user experience.
0 Comments