Microsoft Entra ID Conditional Access is the central technology of modern enterprise identity management. It evaluates conditions such as user, group, app, sign-in risk, device state, and location to dynamically control access, sitting at the heart of the Identities pillar of Zero Trust strategy. This article walks through how Conditional Access works, the recommended baseline policies, implementation templates, operational best practices, and the common pitfalls.
A Conditional Access policy is defined with the structure "Conditions → Controls".
Enabling Conditional Access requires the following:
Here is the Conditional Access baseline (the recommended starter set) published by Microsoft. The standard playbook for a new Conditional Access deployment is to introduce these policies one by one in Report-only mode.
Report-only mode is a test mode that does not actually enforce the Conditional Access policy and only logs the result of applying it.
The single most important prerequisite for Conditional Access operations is excluding Break Glass accounts.
If you forget to set up Break Glass accounts, a Conditional Access misfire can lock every admin in the organization out — a catastrophic failure scenario.
Named Locations let you define IP address ranges (CIDR) or countries as named entities that Conditional Access Conditions can reference.
| Pattern | Use case | Example |
|---|---|---|
| Office Trusted IP | No MFA when coming from the office | Mark HQ and branch-office public IPs as Trusted Locations |
| Risky Country | Block specific countries | China, Russia, North Korea, Iran |
| Allowed Country | Allow access only from approved countries | Japan, US, UK, Germany, Singapore |
| VPN Endpoint | Allow only via the corporate VPN | The VPN server's egress public IP |
| Co-management | Partner-company IPs | Static IPs of the outsourcing partner |
Session Controls govern session behavior after authentication.
What is Conditional Access?
Conditional Access is the dynamic access control engine in Microsoft Entra ID Premium P1/P2. It evaluates conditions such as user, group, app, sign-in risk, device state, and location, and then applies Grant Controls (allow / require MFA / require compliant device / require approved app) or Session Controls (Sign-in Frequency / Persistent Browser Session / App Enforced Restrictions). It sits at the heart of Zero Trust strategy as the central technology for the Identities pillar, providing unified access control across Microsoft 365, Azure, and third-party SaaS apps. It is effectively mandatory for modern enterprise identity management.
What do I need to enable Conditional Access?
You need a Microsoft Entra ID Premium P1 license (included in Microsoft 365 E3 / Microsoft 365 Business Premium / standalone Entra ID P1). Premium P2 (Microsoft 365 E5 / standalone Entra ID P2) adds risk-based Conditional Access (with Identity Protection) and PIM integration (Conditional Access at privileged role activation). Every targeted user needs a license, so you must buy P1 licenses for the full user population covered by your policies. Security Defaults and Conditional Access cannot be used together — enabling Conditional Access automatically disables Security Defaults.
What are the recommended baseline policies?
Microsoft publishes a recommended Conditional Access baseline (starter set): 1) Require MFA for admin roles (covering 14 roles including Global Admin and Privileged Role Admin), 2) Require MFA for all users (org-wide rollout), 3) Block known risky sign-ins (Identity Protection, High Risk), 4) Block legacy authentication (POP/IMAP/SMTP), 5) Require MFA for admin portal access (azure-portal, admin-portal), 6) Block non-compliant device access to Microsoft 365 apps, and 7) Country-based access restrictions (e.g., using Named Locations to block access from China/Russia). The Zero Trust Identity Reference Architecture on Microsoft Learn covers the full details.
Why is Report-only mode so important?
Report-only mode is a test mode that does not actually enforce the Conditional Access policy — it only logs what would have happened. The standard playbook is to run any new policy in Report-only for 1-2 weeks and review Sign-in Logs for unintended blocks. A misconfigured policy (e.g., requiring iOS devices for all users) enforced in production would lock out every Windows user, so Report-only validation is your lifeline against outages. Microsoft also recommends starting every new Conditional Access policy in Report-only mode. You can check the 'Failure - Reported only' status in the Report-only column of Sign-in Logs.
How are Named Locations used?
Named Locations let you define IP address ranges (CIDR) or countries as named entities that Conditional Access Conditions can reference. Typical patterns: 1) No MFA from office IPs (Trusted Locations), MFA required elsewhere, 2) Block access from China, Russia, North Korea, etc., 3) Allow access only from specific countries like Japan or the US (a whitelist that accommodates business travel and remote work), and 4) Dynamic country-by-IP detection using Microsoft's IP geolocation database. Watch out for VPN and proxy traffic — the source IP will differ, so you must also register your VPN server IPs as Named Locations.
What does Sign-in Frequency control?
Sign-in Frequency is a Session Control that governs how often users are forced to re-authenticate. The default behavior is refresh token validation every hour plus a 90-day sliding window for persistent sign-in. Configuring Sign-in Frequency forces a full re-authentication (including MFA) at the interval you set — e.g., every 8 hours. In high-security environments you can tune this granularly: re-auth every hour for sensitive data access, every 4 hours for admin portals, every 8 hours (one business day) for general users. Setting Persistent Browser Session to Never forces re-login every time the browser closes, which is effective for hardening shared-computer environments.
What are the common Conditional Access pitfalls?
The classic pitfalls: 1) Forgetting to exclude Break Glass (emergency access) accounts from Conditional Access, so a policy misfire locks out every admin — always create two Break Glass accounts and add them as Conditional Access exclusions, 2) Enforcing in production without going through Report-only, leading to the textbook full-org lockout, 3) Classifying Named Locations as Trusted, which neuters risk policies, 4) Failing to apply Conditional Access to Service Principals / Managed Identities (CA for Workload Identities is now Preview/GA), 5) Third-party apps (Slack, Salesforce, etc.) keeping legacy auth patterns alive, so CA never kicks in, and 6) Leaving mobile-app MFA bypass paths like App Passwords in place. The Break Glass exclusion is the single most important control — every other Conditional Access operation in your org depends on it.
Which certification exams cover Conditional Access?
SC-300 (Identity and Access Administrator Associate) goes deep on Conditional Access — policy design, troubleshooting, and implementation patterns appear constantly. It also shows up in MS-102 (Microsoft 365 Administrator Expert) Domain 2 (Identity and Access), as a Zero Trust strategy cornerstone in SC-100 (Cybersecurity Architect Expert), and in SC-200 (Security Operations Analyst) via Sentinel integration and Identity Protection. It is a must-know area across the entire Microsoft security certification track. See the Azure security engineer career roadmap for more details.
Related Articles & Deeper Dives
SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。
Microsoft Entra MFA 詳細ガイド|認証方式選定・Conditional Access・Number Matching・Phishing-resistant MFA【2026 年版】
Microsoft Entra Multi-Factor Authentication (MFA) の詳細ガイド。10 種類の認証方式選定・Conditional Access での MFA 強制・Per-user MFA vs Conditional Access MFA・Security Defaults・MFA Fatigue 攻撃対策・Phishing-resistant MFA・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。
Microsoft Entra ID Governance 完全ガイド|Entitlement Management・Access Review・Lifecycle Workflows【2026 年版】
Microsoft Entra ID Governance の完全ガイド。Entitlement Management (Access Package)・Access Review・PIM・Lifecycle Workflows・Terms of Use・B2B/B2C を網羅解説。SOC2 / ISO 27001 コンプライアンス対応、JML プロセス自動化、関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。
Microsoft Entra B2B / External ID 完全ガイド|パートナー招待・顧客認証・Cross-tenant Settings【2026 年版】
Microsoft Entra B2B Collaboration (パートナー組織招待) と External ID for customers (顧客認証) の完全ガイド。ゲスト招待フロー・Cross-tenant Access Settings・External Tenant 構成・Entitlement Management 自動化・Conditional Access 統合・関連認定試験 (SC-300 / MS-102 / SC-100) を日本語で網羅。
The technical content in this article is based on the Microsoft Entra Conditional Access Documentation. This article is not an official Microsoft Corporation product, and there is no partnership or sponsorship of any kind. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information reflects official public documentation as of May 24, 2026. Always check the official pages for the latest details.
Practice with certification-focused question sets
Browse Azure exam prepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...