Azure

Azure Conditional Access Policy Design: Complete Guide with Baselines, Templates & Patterns

2026-05-24
NicheeLab Editorial Team

Microsoft Entra ID Conditional Access is the central technology of modern enterprise identity management. It evaluates conditions such as user, group, app, sign-in risk, device state, and location to dynamically control access, sitting at the heart of the Identities pillar of Zero Trust strategy. This article walks through how Conditional Access works, the recommended baseline policies, implementation templates, operational best practices, and the common pitfalls.

How Conditional Access Works

A Conditional Access policy is defined with the structure "Conditions → Controls".

Conditions

  • Users / Groups: Target users, groups, guests, and specific roles
  • Cloud apps or actions: Microsoft 365, Azure, and third-party SaaS apps
  • Conditions: Sign-in Risk, User Risk, device platform, location (Named Locations), client app, device state (Compliant / Hybrid Joined), and filters

Controls

  • Grant Controls: Block / Grant access, with additional requirements on grant (MFA, compliant device, Hybrid Azure AD Join, approved app, password change, terms of use acceptance)
  • Session Controls: Sign-in Frequency, Persistent Browser Session, App Enforced Restrictions, Conditional Access App Control (CASB), and customized continuous access evaluation

Prerequisites: Licensing and Initial Setup

Enabling Conditional Access requires the following:

  • Microsoft Entra ID Premium P1 or higher (Microsoft 365 E3 / Business Premium / standalone Entra ID P1)
  • Premium P1 license assigned to every targeted user (e.g., 1,000 P1 licenses for 1,000 targeted users)
  • Additional features with Premium P2: risk-based Conditional Access (Identity Protection) and PIM integration
  • Cannot be used alongside Security Defaults (enabling Conditional Access auto-disables Security Defaults)

Seven Recommended Baseline Policies

Here is the Conditional Access baseline (the recommended starter set) published by Microsoft. The standard playbook for a new Conditional Access deployment is to introduce these policies one by one in Report-only mode.

  1. Require MFA for admin roles: Covers 14 roles including Global Admin and Privileged Role Admin. The first line of defense for privileged access.
  2. Require MFA for all users: Org-wide rollout. The single highest-impact control against account compromise.
  3. Block known risky sign-ins: Block High Risk sign-ins via Identity Protection integration (requires Premium P2).
  4. Block legacy authentication: POP/IMAP/SMTP/Basic Auth — the classic MFA bypass paths.
  5. Require MFA for admin portal access: Target apps like azure-portal, admin-portal, and microsoft-intune-portal.
  6. Block access from non-compliant devices: Integrated with Microsoft Intune Compliance Policies.
  7. Country-based access restrictions: Block access from China, Russia, North Korea, etc. using Named Locations.

Using Report-only Mode

Report-only mode is a test mode that does not actually enforce the Conditional Access policy and only logs the result of applying it.

  • When rolling out a new policy, always run it in Report-only for 1-2 weeks and check Sign-in Logs for unintended blocks
  • A misconfigured policy (e.g., requiring iOS devices for all users) enforced in production would lock out every Windows user
  • Check for the 'Failure - Reported only' status in the Report-only column of Sign-in Logs
  • The What If tool also lets you simulate policy outcomes in advance

Break Glass Accounts (Emergency Access)

The single most important prerequisite for Conditional Access operations is excluding Break Glass accounts.

  1. Always create two Break Glass accounts (one excluded from Conditional Access, the second as an additional safety net)
  2. Cloud-only accounts (no on-prem AD sync, no AD FS / federation)
  3. 16+ character ultra-strong passwords, stored physically separated in a password manager
  4. Global Administrator role assigned permanently (Active, not PIM Eligible)
  5. Excluded from every single Conditional Access policy
  6. Sign-in alerts configured to notify the CISO / IT security team whenever the account is used

If you forget to set up Break Glass accounts, a Conditional Access misfire can lock every admin in the organization out — a catastrophic failure scenario.

Designing Named Locations

Named Locations let you define IP address ranges (CIDR) or countries as named entities that Conditional Access Conditions can reference.

PatternUse caseExample
Office Trusted IPNo MFA when coming from the officeMark HQ and branch-office public IPs as Trusted Locations
Risky CountryBlock specific countriesChina, Russia, North Korea, Iran
Allowed CountryAllow access only from approved countriesJapan, US, UK, Germany, Singapore
VPN EndpointAllow only via the corporate VPNThe VPN server's egress public IP
Co-managementPartner-company IPsStatic IPs of the outsourcing partner

Using Session Controls

Session Controls govern session behavior after authentication.

Sign-in Frequency

  • Sensitive data access → re-authenticate every 1 hour
  • Admin portals → every 4 hours
  • General users → every 8 hours (one business day)
  • High-security environments → re-authenticate every time the browser closes (set Persistent Browser Session to Never)

Other Controls

  • Persistent Browser Session: Toggle between Always and Never. Never is recommended for shared-computer environments.
  • App Enforced Restrictions: Restrictions like 'web browser only, no downloads' for SharePoint / OneDrive
  • Conditional Access App Control: Integrates with Microsoft Defender for Cloud Apps (CASB) for inline monitoring of third-party SaaS

Testing and Operations Best Practices

  1. Run in Report-only for 1-2 weeks and review Sign-in Logs for applied results
  2. A scoped Pilot Group enforces for one week ahead of broader rollout (e.g., 50 people in the IT department only)
  3. Use the What If tool to simulate expected behavior for individual users
  4. Expand the target user base in stages (Pilot → 100 → 500 → org-wide)
  5. Aggregate Sign-in Logs into Microsoft Sentinel for anomaly detection
  6. Review policies regularly (quarterly, checking Microsoft Secure Score)

Conditional Access Pitfalls

  1. Forgetting to exclude Break Glass accounts from Conditional Access: The most catastrophic failure mode. Always create two and add them as exclusions.
  2. Enforcing in production without Report-only first: The textbook scenario for a full-org lockout incident.
  3. Marking Named Locations as Trusted: Risk policies stop firing. Use Trusted only when you truly need it.
  4. Missing CA configuration for Service Principals / Managed Identities: Conditional Access for Workload Identities is now supported.
  5. Legacy authentication in third-party apps: If Basic Auth remains in Slack, Salesforce, etc., CA cannot enforce.
  6. Mobile-app App Password bypass: Apps using legacy protocols can bypass MFA.

Related Certification Exams

Frequently Asked Questions

What is Conditional Access?

Conditional Access is the dynamic access control engine in Microsoft Entra ID Premium P1/P2. It evaluates conditions such as user, group, app, sign-in risk, device state, and location, and then applies Grant Controls (allow / require MFA / require compliant device / require approved app) or Session Controls (Sign-in Frequency / Persistent Browser Session / App Enforced Restrictions). It sits at the heart of Zero Trust strategy as the central technology for the Identities pillar, providing unified access control across Microsoft 365, Azure, and third-party SaaS apps. It is effectively mandatory for modern enterprise identity management.

What do I need to enable Conditional Access?

You need a Microsoft Entra ID Premium P1 license (included in Microsoft 365 E3 / Microsoft 365 Business Premium / standalone Entra ID P1). Premium P2 (Microsoft 365 E5 / standalone Entra ID P2) adds risk-based Conditional Access (with Identity Protection) and PIM integration (Conditional Access at privileged role activation). Every targeted user needs a license, so you must buy P1 licenses for the full user population covered by your policies. Security Defaults and Conditional Access cannot be used together — enabling Conditional Access automatically disables Security Defaults.

What are the recommended baseline policies?

Microsoft publishes a recommended Conditional Access baseline (starter set): 1) Require MFA for admin roles (covering 14 roles including Global Admin and Privileged Role Admin), 2) Require MFA for all users (org-wide rollout), 3) Block known risky sign-ins (Identity Protection, High Risk), 4) Block legacy authentication (POP/IMAP/SMTP), 5) Require MFA for admin portal access (azure-portal, admin-portal), 6) Block non-compliant device access to Microsoft 365 apps, and 7) Country-based access restrictions (e.g., using Named Locations to block access from China/Russia). The Zero Trust Identity Reference Architecture on Microsoft Learn covers the full details.

Why is Report-only mode so important?

Report-only mode is a test mode that does not actually enforce the Conditional Access policy — it only logs what would have happened. The standard playbook is to run any new policy in Report-only for 1-2 weeks and review Sign-in Logs for unintended blocks. A misconfigured policy (e.g., requiring iOS devices for all users) enforced in production would lock out every Windows user, so Report-only validation is your lifeline against outages. Microsoft also recommends starting every new Conditional Access policy in Report-only mode. You can check the 'Failure - Reported only' status in the Report-only column of Sign-in Logs.

How are Named Locations used?

Named Locations let you define IP address ranges (CIDR) or countries as named entities that Conditional Access Conditions can reference. Typical patterns: 1) No MFA from office IPs (Trusted Locations), MFA required elsewhere, 2) Block access from China, Russia, North Korea, etc., 3) Allow access only from specific countries like Japan or the US (a whitelist that accommodates business travel and remote work), and 4) Dynamic country-by-IP detection using Microsoft's IP geolocation database. Watch out for VPN and proxy traffic — the source IP will differ, so you must also register your VPN server IPs as Named Locations.

What does Sign-in Frequency control?

Sign-in Frequency is a Session Control that governs how often users are forced to re-authenticate. The default behavior is refresh token validation every hour plus a 90-day sliding window for persistent sign-in. Configuring Sign-in Frequency forces a full re-authentication (including MFA) at the interval you set — e.g., every 8 hours. In high-security environments you can tune this granularly: re-auth every hour for sensitive data access, every 4 hours for admin portals, every 8 hours (one business day) for general users. Setting Persistent Browser Session to Never forces re-login every time the browser closes, which is effective for hardening shared-computer environments.

What are the common Conditional Access pitfalls?

The classic pitfalls: 1) Forgetting to exclude Break Glass (emergency access) accounts from Conditional Access, so a policy misfire locks out every admin — always create two Break Glass accounts and add them as Conditional Access exclusions, 2) Enforcing in production without going through Report-only, leading to the textbook full-org lockout, 3) Classifying Named Locations as Trusted, which neuters risk policies, 4) Failing to apply Conditional Access to Service Principals / Managed Identities (CA for Workload Identities is now Preview/GA), 5) Third-party apps (Slack, Salesforce, etc.) keeping legacy auth patterns alive, so CA never kicks in, and 6) Leaving mobile-app MFA bypass paths like App Passwords in place. The Break Glass exclusion is the single most important control — every other Conditional Access operation in your org depends on it.

Which certification exams cover Conditional Access?

SC-300 (Identity and Access Administrator Associate) goes deep on Conditional Access — policy design, troubleshooting, and implementation patterns appear constantly. It also shows up in MS-102 (Microsoft 365 Administrator Expert) Domain 2 (Identity and Access), as a Zero Trust strategy cornerstone in SC-100 (Cybersecurity Architect Expert), and in SC-200 (Security Operations Analyst) via Sentinel integration and Identity Protection. It is a must-know area across the entire Microsoft security certification track. See the Azure security engineer career roadmap for more details.

Related Articles & Deeper Dives

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Microsoft Entra MFA 詳細ガイド|認証方式選定・Conditional Access・Number Matching・Phishing-resistant MFA【2026 年版】

Microsoft Entra Multi-Factor Authentication (MFA) の詳細ガイド。10 種類の認証方式選定・Conditional Access での MFA 強制・Per-user MFA vs Conditional Access MFA・Security Defaults・MFA Fatigue 攻撃対策・Phishing-resistant MFA・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

Microsoft Entra ID Governance 完全ガイド|Entitlement Management・Access Review・Lifecycle Workflows【2026 年版】

Microsoft Entra ID Governance の完全ガイド。Entitlement Management (Access Package)・Access Review・PIM・Lifecycle Workflows・Terms of Use・B2B/B2C を網羅解説。SOC2 / ISO 27001 コンプライアンス対応、JML プロセス自動化、関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

Microsoft Entra B2B / External ID 完全ガイド|パートナー招待・顧客認証・Cross-tenant Settings【2026 年版】

Microsoft Entra B2B Collaboration (パートナー組織招待) と External ID for customers (顧客認証) の完全ガイド。ゲスト招待フロー・Cross-tenant Access Settings・External Tenant 構成・Entitlement Management 自動化・Conditional Access 統合・関連認定試験 (SC-300 / MS-102 / SC-100) を日本語で網羅。

The technical content in this article is based on the Microsoft Entra Conditional Access Documentation. This article is not an official Microsoft Corporation product, and there is no partnership or sponsorship of any kind. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information reflects official public documentation as of May 24, 2026. Always check the official pages for the latest details.

Check what you learned with practice questions

Practice with certification-focused question sets

Browse Azure exam prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.