What Is Conditional Access

Microsoft Conditional Access

The Microsoft Explanation

Conditional Access is an Entra ID Zero trust policy engine that evaluates token issuance and enforces controls based on:

Identity (user or workload)
Target resource (cloud app)
Context (location, device, risk, auth method)

It runs at sign-in time and determines whether a token is issued, restricted, or denied.

The Jon Hope Explanation

Conditional Access is the modern day cloud identity and workload firewall. In the modern cloud, identity is the new server—it’s the control plane every access request must pass through.

Just like a firewall:

It doesn’t protect the server — it protects access
It evaluates every connection attempt
Rules are context-aware, not static

Im currently expanding this to include Inforcer

Inforcer is the policy engine—GPO v2 for the cloud era. It operationalizes Conditional Access by defining standards once and enforcing them consistently at scale across multiple tenants, turning security intent into repeatable, governable outcomes

Important CA Differences and notes to call out

CA has 195 policy limit

Unlike Firewalls all policies apply at evaluation and dont have a priority ACL like an Azure NSG where a lower policy rule would apply before another

CA requires a P1 license for basic functions, P2 for Identity Protection features, Protecting Service Principals require Workload ID Premium license

Links from MVP's

Helpful Policy Links

Blog Post from Me

Advanced CA Deep Dive

ServicePrincipalList

Condtional Access Documentation Tools

Preventing Condtional Access Gaps

https://entrascopes.com/
https://cloudbrothers.info/en/conditional-access-bypasses/
https://www.youtube.com/watch?v=yYQBeDFEkps&list=PLuPHrE2HRFpOpFWfE0XLE3LsuMh0_8-Kr&index=97

P2 Risky Signal features

https://ourcloudnetwork.com/how-to-enable-require-risk-remediation-in-conditional-access/

Cannot overstate how awesome of a tool this is for docuemnation of any orginizations CA Policy into a visual ppt

THINGS TO CONSIDER

https://office365itpros.com/2024/02/12/conditional-access-mfa-email/ Sensitivity Labels and MFA for all Cloud Apps
https://nathanmcnulty.com/blog/2025/09/improving-passkey-registration-experiences/ Passkey Registration issues, Azure Credential Configuration Endpoint Service
https://ourcloudnetwork.com/how-to-enable-require-risk-remediation-in-conditional-access/ New Risk Remediation and how it works
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices?wt.mc_id=MVP_452337#policy-behavior-with-filter-for-devices How Device Filters work and apply Important!!!
https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token?tabs=windows-prt-issued%2Cbrowser-behavior-windows%2Cwindows-prt-used%2Cwindows-prt-renewal%2Cwindows-prt-protection%2Cwindows-apptokens%2Cwindows-browsercookies%2Cwindows-mfa#how-is-a-prt-used PRT Behavior/Dont use Private Browsing/Use Profiles
https://www.linkedin.com/feed/update/urn:li:activity:7339622643064578048/?updateEntityUrn=urn%3Ali%3Afs_updateV2%3A%28urn%3Ali%3Aactivity%3A7339622643064578048%2CFEED_DETAIL%2CEMPTY%2CDEFAULT%2Cfalse%29 ToU and GDAP access
https://www.linkedin.com/feed/update/urn:li:activity:7326339470608277504/?updateEntityUrn=urn%3Ali%3Afs_updateV2%3A%28urn%3Ali%3Aactivity%3A7326339470608277504%2CFEED_DETAIL%2CEMPTY%2CDEFAULT%2Cfalse%29 Device Compliance vs Device Filtering Discussion and Best practices IMPORTANT!!
https://www.natehutchinson.co.uk/post/mastering-the-mfa-mandate-considerations-and-recommendations-to-a-smooth-transition Great Overall recommendations around legacy auth migration and MFA Successful rollouts and reporting
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions Conditions in Conditional Access. Pay attention to the Browser support. This one is huge on how a device recognizes compliance
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices Why you need to be careful pushing out Device Compliance policies in Read Only
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection If creating a token protection CA Policy/ Ensure all Known limitations are reviewed/ Example I had an entra cloud pc that wasnt able to satisfy the requirement and needed an exclude filter for this policy

 Warning

Policies that require compliant devices may prompt users on Mac, iOS, and Android to select a device certificate during policy evaluation, even though device compliance is not enforced. These prompts may repeat until the device is made compliant.

Defense in Depth CA Policies

https://youtu.be/RA4BYQjLAAU?si=pSz4zeTOGYJf3iP3
(AZSecurity with Dinant Paardenkooper: Episode 30 - Implementing real world defense-in-depth strategies with Microsoft Azure and Entra ID)

Conditional Access Baseline

CAPolicy Baseline

Conditional Access (ACME) Policy Naming Documentation

ACME - [Scope] - [Control Type] - [Target] - [Descriptor/Notes]

Scope: GLOBAL, APP, INTUNE, P2, ZTCA, AGENT, WORKLOAD, etc.
Control Type: BLOCK, GRANT, SESSION.
Target: Describes target of the policy (e.g., MFA, Device Code Auth Flow, Legacy Authentication).
Additional Descriptor/Notes: Further description or exception details and Exclusions if requred

Prefix

ACME → Identifies this as a Customer Tenant CA policy and or deployed from Inforcer as an ACME Standard Policy

Scope

GLOBAL → Applies to all clients and all applications in the tenant.
APP → Specific to one enterprise application or client.
INTUNE → Applies to Intune-managed devices or mobile/desktop management.
P2 → Policies tied to Microsoft Entra ID Premium P2 features (e.g., risk-based CA).
ZTCA → Zero Trust Conditional Access policies.
Workload → Service Principal policy scope to secure Enterprise Apps.
AGENT → Applies to Microsoft Entra Agent Identities, including cloud sync agents, connectors, workload agents, token protection agents, and other non-human agent identity objects listed under Entra ID → Agent ID.

Control Type

BLOCK → Prevents access entirely.(Typical of Least privelage policy and has an Excluded group that is explicitly allowed access)
GRANT → Allows access but with conditions (e.g., MFA, compliant device).
SESSION → Configures session-level restrictions (e.g., persistence, sign-in frequency).

Target

Describes what is being affected.
Examples:
- MFA
- DeviceCodeAuthFlow
- LegacyAuthentication
- SignIn
- SharePoint-OneDrive
- AVDUsers
- Countries
- Breakglass
- Service Accounts
- APPS: Inforcer/DevOps/Copilot
- Terms Of Use
Descriptor / Notes
Used for exceptions, exclusions, or extra detail.
Always use Exclude- when naming a policy with explicit exclusions.
Examples:
- Exclude-TrustedEntraSyncIPs
- Exclude-AVD-ExternalUsers
- NonTrustedLocations

ACME - GLOBAL - GRANT - MFA - External-Guest-Users

Applies to all apps/clients.
Grants access only if MFA is satisfied.
Targets external and guest users.

ACME - APP - BLOCK - AzureDevOps(Or other Apps)

Applies to Azure DevOps enterprise app only.
Blocks access for all unless explicitly excluded.

ACME - APP - BLOCK - AVD - Exclude-AllowedAVDUsers

Applies to select Ent App/clients.
Blocks AVD access except for AllowedAVDUsers group.(Typically this is AVDUsers/AVD-ExternalUsers)

4. Best Practices

Keep it concise but descriptive — each segm

ConditionalAccessPolicies

Install / Use

README