Conditional Access (CA) policies in Microsoft Entra ID serve as the backbone of a Zero Trust security model, enabling organizations to enforce granular access controls based on contextual signals. This article outlines five foundational policies recommended for initial deployment, drawing from Microsoft’s documentation1 and community-tested practices2. These policies balance security with usability while addressing common attack vectors like credential theft and lateral movement.
TL;DR: Key Policy Recommendations
- Require MFA for all administrative roles (prioritizing PIM-activated accounts)
- Block legacy authentication protocols (SMTP, IMAP, POP3)
- Enforce device compliance for access to sensitive resources
- Restrict access by geographic location based on business needs
- Implement sign-in risk-based policies (requires Entra ID P2 license)
Policy 1: Mandatory MFA for Privileged Accounts
Administrative accounts remain prime targets for attackers, with 60% of breaches involving compromised credentials3. A baseline Conditional Access policy should enforce multi-factor authentication (MFA) for all users assigned to Entra ID roles like Global Administrator or Exchange Administrator. Microsoft recommends configuring this with grant controls set to “Require MFA” and assignments targeting role-enabled users through the roleManagement/directory/roleAssignments resource type. The policy should exclude emergency access accounts (clearly tagged with BreakGlass attributes) to prevent lockout scenarios.
Policy 2: Legacy Authentication Block
Legacy protocols lacking MFA support accounted for 98% of password spray attacks in 20244. A block policy should target client apps using basic authentication, configured with these conditions:
| Condition | Setting |
|---|---|
| Client Apps | Exchange ActiveSync, Other clients |
| Grant Controls | Block |
Exception rules may be needed for service accounts requiring SMTP, but these should be constrained by IP range restrictions.
Policy 3: Device Compliance Enforcement
For organizations using Microsoft Intune, Conditional Access can restrict access to corporate resources from non-compliant devices. The policy should:
- Target all cloud apps except those explicitly excluded (e.g., public-facing SharePoint sites)
- Require devices to be either Entra hybrid joined or Intune compliant
- Include a user notification mechanism via the
termsOfUsegrant control
Red teams should note that this policy creates opportunities for device registration phishing simulations during security assessments.
Implementation Considerations
Before activating policies in production, Microsoft’s Report-Only mode provides impact analysis without affecting users. The What If tool in the Entra portal allows testing specific scenarios, such as:
“Simulating access attempts from untrusted locations or non-compliant devices to verify policy effectiveness before enforcement.”
Session controls like limiting download capabilities in Microsoft Defender for Cloud Apps5 can complement Conditional Access policies for data-centric protection.
Conclusion
These five policies establish a security baseline that addresses the most common identity-based attack vectors. Organizations should progressively implement additional controls like user risk policies and application-specific restrictions after validating these foundational rules. Continuous monitoring through Entra ID Protection and regular policy reviews ensure adaptive protection against evolving threats.
References
- “Conditional Access overview”, Microsoft Docs, 2025.
- “Mastering Microsoft Entra ID Conditional Access”, Reddit discussion, 2024.
- “Entra ID Protection overview”, Microsoft Docs, 2025.
- “Conditional Access Policy Guide”, LazyAdmin, 2024.
- “Microsoft Defender for Cloud Apps”, Microsoft Docs, 2025.
