ConditionalAccess
This repository contains a comprehensive set of Conditional Access (CA) policies and PowerShell management tools for Microsoft Entra ID (formerly Azure AD), designed to enhance your organization's security posture while maintaining usability.
Install / Use
/learn @aollivierre/ConditionalAccessREADME
Modern Conditional Access Baseline 2025
This repository contains a comprehensive set of Conditional Access (CA) policies and PowerShell management tools for Microsoft Entra ID (formerly Azure AD), designed to enhance your organization's security posture while maintaining usability.
🙏 Acknowledgments
This project builds upon the excellent work of:
- Kenneth van Surksum (@kennethvs) - Original CA baseline policies
- Daniel Chronlund (@DanielChronlund) - DC Toolbox CA implementations
📋 Prerequisites
Before implementing these baselines, ensure:
- Security Defaults are disabled in your tenant
- Legacy Per-User MFA is disabled for all users (except unlicensed accounts if necessary)
- Required licenses are available for your users
- Basic familiarity with Conditional Access concepts
🏗️ Implementation Components
Required Infrastructure
- 42 Entra ID Groups for inclusion/exclusion management
- 44 Conditional Access policies
- Supporting Intune MAM/APP policies
Policy Modes
- Most policies are deployed in "Report-only" mode for impact assessment
- Compliance-check policies are set to "Off" mode initially to prevent unexpected authentication prompts
🛠️ Recommended Tools
Policy Deployment
- Intune Management Tool - For importing and managing policies
Policy Visualization
- IdPowerToys - For visualizing and understanding policy interactions
📝 Best Practices
-
Group-Based Assignment
- Always use groups for inclusions/exclusions instead of direct user assignments
- Enables easier management and automated import via Intune Management Tool
-
Staged Rollout
- Start with policies in report-only mode
- Use provided PowerShell tools to analyze sign-in logs
- Assess impact before enabling enforcement
-
Policy Management
- Maintain documentation of policy exceptions
- Regular review of policy effectiveness
- Monitor for policy conflicts
🚀 Implementation Guide
- Clone this repository
- Create required Entra ID groups
- Import baseline policies using Intune Management Tool
- Review and customize policies for your environment
- Use provided PowerShell tools to monitor impact
- Gradually enable enforcement based on analysis
📊 Included Tools
This repository includes PowerShell scripts for:
- Managing user/group assignments
- Analyzing sign-in logs for report-only policies
- Impact assessment reporting
- Policy compliance monitoring
🔜 Future Plans
- Enhanced PowerShell tools for sign-in log analysis
- Automated impact assessment reporting
- Additional compliance templates
- Integration with Microsoft Graph API
- Additional baseline policies for specific scenarios
📚 Documentation
Detailed documentation for each component is available in the respective folders:
/policies- Baseline CA policies/scripts- PowerShell management tools/docs- Implementation guides and best practices
🤝 Contributing
Contributions are welcome! Please read our contributing guidelines before submitting pull requests.
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
💬 Support
For issues and feature requests, please use the GitHub issues section.
