Microsoft Entra ID Conditional Access: Protect Your Organization
Set up Conditional Access policies in Microsoft Entra ID to control who can access your resources and under what conditions. Real-world examples included.
The Problem with Traditional Security
Here's a scenario I see all the time: a company has strong passwords, maybe even MFA, but once someone's in, they have access to everything from anywhere. That's not security - that's a false sense of security.
Conditional Access changes the game. Instead of just asking "who are you?", it asks "who are you, where are you, what device are you using, and should I trust you right now?"
How Conditional Access Works
Think of it as a smart gatekeeper. Every time someone tries to access a resource, Conditional Access evaluates:
- Who - User or group identity
- What - Which application they're accessing
- Where - Their location (IP, country)
- How - Device type and compliance status
- Risk - Sign-in and user risk levels
Based on these signals, it decides: allow, block, or require additional verification.
Setting Up Your First Policies
Policy 1: Require MFA for All Users
This should be your baseline. No exceptions for executives (especially not for executives).
Steps in Entra ID Portal:
- Go to Protection > Conditional Access
- Click New policy
- Configure:
- Name: Require MFA for All Users
- Users: All users (exclude emergency access accounts)
- Cloud apps: All cloud apps
- Conditions: None (applies everywhere)
- Grant: Require multifactor authentication
Important: Always have at least two emergency access accounts excluded from all policies. These are your "break glass" accounts if something goes wrong.
Policy 2: Block Legacy Authentication
Legacy protocols like POP, IMAP, and older Office versions don't support MFA. Block them. This single policy prevents a huge category of attacks.
Policy 3: Require Compliant Devices for Sensitive Apps
For your most sensitive applications, require devices that meet your security standards. This means users need both MFA AND a compliant device.
Location-Based Policies
Block Access from High-Risk Countries
If your business only operates in certain regions, block the rest. Create a named location for your allowed countries in Protection > Named locations.
Require Extra Verification Outside Office
Trust your office network more than random WiFi. Require additional verification when users connect from outside your corporate network.
Risk-Based Policies
Microsoft's Identity Protection analyzes sign-in patterns and flags risky behavior. Create policies to block high-risk sign-ins and require password changes for medium-risk users.
Testing Your Policies
Never enable a policy without testing:
- Report-Only Mode: Enable policies in report-only first
- What If Tool: Simulate sign-ins and see which policies apply
- Pilot Groups: Start with a small group of IT users before rolling out
Common Mistakes to Avoid
- Locking yourself out: Always exclude emergency access accounts
- Too broad too fast: Start with report-only mode
- Forgetting service accounts: Some policies shouldn't apply to service principals
- Not documenting: Keep a record of why each policy exists
Monitoring and Maintenance
Set up alerts for:
- Failed sign-ins due to Conditional Access
- Changes to Conditional Access policies
- Emergency access account usage
Review your policies quarterly. Business needs change, and your policies should evolve too.
Quick Reference: Recommended Baseline
| Policy | Users | Apps | Grant |
|---|---|---|---|
| Require MFA | All | All | MFA |
| Block Legacy Auth | All | All | Block |
| Compliant Devices | All | Sensitive Apps | MFA + Compliant |
| Block Risky Sign-ins | All | All | Block |
| Block Risky Countries | All | All | Block |
Start with these five policies, test thoroughly, and expand from there.
Questions & Answers
Related Articles
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us