Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID Conditional Access design

Designing a Conditional Access baseline — policies, principles, and the order they should be written in.

Conditional Access (CA) is the Entra ID engine that decides what happens to every sign-in based on signals: who, where, what device, what app, what risk. Designed well, it's the single most effective control in Microsoft 365. Designed badly, it locks people out at midnight.

The principles

  • Default to deny: assume no implicit access. Every grant is explicit.
  • Layer: many small policies are easier to reason about than a few large ones.
  • Always allow break-glass: a small set of emergency accounts (excluded from every policy, with very strong credentials) avoids total lockout.
  • Test in report-only first: every policy supports a Report-only mode that logs what would have happened.
  • Document why: each policy needs a clear purpose so future-you doesn't break it.

A baseline policy set

A reasonable starting baseline, in order:

  1. Block legacy authentication — POP, IMAP, SMTP basic auth, Exchange ActiveSync basic auth. These bypass MFA. Block them with no exceptions.
  2. Require MFA for all users — every user, every cloud app, with the named break-glass accounts excluded.
  3. Require MFA for admins — even tighter, with PIM for time-bound activation.
  4. Require compliant or hybrid-joined device for Office 365 — adds Intune-based device posture.
  5. Block access from high-risk countries — or require step-up authentication.
  6. Block access for high-risk users / sign-ins — uses Entra ID Identity Protection signals (P2).
  7. Require terms of use for external users / specific apps.
  8. Session controls — restrict downloads on unmanaged devices, restrict copy/paste in mobile apps.

What signals you can use

  • User: individual user, group, role, risk score, internal/guest.
  • Cloud app: every Microsoft 365 app plus third-party apps using Entra ID for SSO.
  • Device: compliance, hybrid join, ownership, OS.
  • Location: named IP ranges, countries, trusted/untrusted.
  • Sign-in risk: real-time evaluation by Entra ID's risk engine.
  • Session controls: app-enforced restrictions, Defender for Cloud Apps controls.

Common mistakes

  • Excluding too few accounts from break-glass policies (only 1 isn't enough).
  • Overlapping policies whose combined effect is hard to predict.
  • Forgetting to scope policies to all apps — partial scopes leak.
  • Skipping report-only mode and shipping straight to enforce.
  • Ignoring guests — guests need their own policies too.

Licensing

Conditional Access requires Entra ID P1, included with Microsoft 365 Business Premium, E3, E5, F3, and as a standalone licence. Identity Protection (sign-in risk, user risk) requires P2.

CA isn't a one-time project. Treat the policy set as living configuration, reviewed quarterly against new threats and new apps.