Conditional access Baseline

This conditional access baseline is based on the Microsoft Conditional Access Baseline by Claus Jespersen. This one is slightly minimized and less difficult to understand but still protects almost everything you could wish for. Use this baseline to start off with and expend or modify where needed.

[!TIP] There's no need to create policies, groups or named locations yourself. This can be done automated using Mick-K his Intune Management tool. This is described in Importing the baseline.

[!IMPORTANT] Do not forget to add your break the glass/emergency access accounts to the exclusion group. When using this baseline that would be CA-BreakGlassAccounts - Exclude.

Table of Contents

• Conditional access Baseline
• Table of Contents
  • Resources
  • Prerequisites
  • Roadmap
  • Version history
  • Changelog
    • 2024.6.1
    • 2025.2.1
    • 2025.2.2
    • 2025.2.3
    • 2026.2.1
  • Persona's
    • Global
    • Admins
    • Internals
    • Guests
    • Agents
  • Conditional access policies
    • CA000-Global-IdentityProtection-AnyApp-AnyPlatform-MFA
    • CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist
    • CA002-Global-IdentityProtection-AnyApp-AnyPlatform-Block-LegacyAuthentication
    • CA003-Global-BaseProtection-RegisterOrJoin-AnyPlatform-MFA
    • CA004-Global-IdentityProtection-AnyApp-AnyPlatform-AuthenticationFlows
    • CA005-Global-DataProtection-Office365-AnyPlatform-Unmanaged-RequireAppProtection
    • CA006-Global-DataProtection-Office365-iOSenAndroid-RequireAppProtection
    • CA100-Admins-IdentityProtection-AdminPortals-AnyPlatform-MFA
    • CA101-Admins-IdentityProtection-AnyApp-AnyPlatform-MFA
    • CA102-Admins-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
    • CA103-Admins-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
    • CA104-Admins-IdentityProtection-AllApps-AnyPlatform-ContinuousAccessEvaluation
    • CA105-Admins-IdentityProtection-AnyApp-AnyPlatform-PhishingResistantMFA
    • CA200-Internals-IdentityProtection-AnyApp-AnyPlatform-MFA
    • CA201-Internals-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRiskUser
    • CA202-Internals-IdentityProtection-AllApps-WindowsMacOS-SigninFrequency-UnmanagedDevices
    • CA203-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA
    • CA204-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms
    • CA205-Internals-BaseProtection-AnyApp-Windows-CompliantorAADHJ
    • CA206-Internals-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
    • CA207-Internals-AttackSurfaceReduction-SelectedApps-AnyPlatform-BLOCK
    • CA208-Internals-BaseProtection-AnyApp-MacOS-Compliant
    • CA209-Internals-IdentityProtection-AllApps-AnyPlatform-ContinuousAccessEvaluation
    • CA300-ServiceAccounts-IdentityProtection-AnyApp-AnyPlatform-MFA
    • CA301-ServiceAccounts-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUntrustedLocations
    • CA400-GuestUsers-IdentityProtection-AnyApp-AnyPlatform-MFA
    • CA401-GuestUsers-AttackSurfaceReduction-AllApps-AnyPlatform-BlockNonGuestAppAccess
    • CA402-GuestUsers-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
    • CA403-Guests-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
    • CA404-Guests-AttackSurfaceReduction-SelectedApps-AnyPlatform-BLOCK
    • CA501-Agents-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRiskAgent
  • Named locations
  • Considerations
  • Troubleshooting
  • Importing the baseline
    • Setup IntuneManagement
    • Import the configuration

Resources

➡ Microsoft Learn: https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework

➡ Framework documentation by Claus Jespersen: https://github.com/microsoft/ConditionalAccessforZeroTrustResources/blob/main/ConditionalAccessGovernanceAndPrinciplesforZeroTrust%20October%202023.pdf

➡ Framework resources: https://github.com/microsoft/ConditionalAccessforZeroTrustResources

➡ idPowerToys for CA documentation: https://idpowertoys.merill.net/

Prerequisites

• Security Defaults must be disabled before importing Conditional Access policies.
• Make sure Microsoft Intune Enrollment (App id: d4ebce55-015a-49b5-a083-c84d1797ae8c) app exists in your tenant. Otherwise, create manually by using New-MgServicePrincipal -AppId d4ebce55-015a-49b5-a083-c84d1797ae8c

Roadmap

• Feedback and enhancement requests can be provided by opening a repository issue.

Version history

| Version nr | Release date | | -------- | -------- | | 2024.4.1 | Released 10-04-2024 | | 2024.6.1 | Released 26-06-2024 | | 2025.2.1 | Released 01-02-2025 | | 2025.2.2 | Released 06-02-2025 | | 2025.2.3 | Released 13-02-2025 | | 2026.2.1 | Released 13-02-2026 |

Changelog

2024.6.1

• CA208: Added this policy to require MacOS device compliance
• CA207: Added this policy to explicitly block certain apps on any platform for the internals persona.
• CA404: Added this policy to explicitly block certain apps on any platform for the guest persona.
• CA103: Added this policy to have never persistent browser sessions on any platform for admins persona
• CA206: Added this policy to have never persistent browser sessions on any platform for internals persona
• CA403: Added this policy to have never persistent browser sessions on any platform for admins persona
• CA006: Added this policy to require App Protection for iOS and Android devices when accessing Exchange Online and SharePoint Online.
• CA100: Added a few Admin roles to require MFA.
• CA101: Added a few Admin roles to require MFA.

2025.2.1

• CA104: Added Continuous Access Evaluation for admins
• CA105: Added Phishing Resistant MFA for admins
• CA209: Added Continuous Access Evaluation for internals

2025.2.2

• CA206: Wrong exclusion group was assigned. Has been fixed.

2025.2.3

• CA201: Policy contained Signin Risk and User Risk in a single policy. Now separated into CA201 and CA210
• CA210: Separated (new) policy for Signin Risk

2026.2.1

• CA501: Template policy for High Risk Agents adopted into the framework.
• CA005: Modified policy from Require approved client app to RequireAppProtection as this is being retired per March 2026.

Persona's

Global

Global is a persona/placeholder for policies that are general in nature or do not only apply to one persona. So it is used to define policies that apply to all personas or don't apply to one specific persona. The reason for having this persona is to be able to have a model where we can protect all relevant scenarios. It should be used to hold policies that apply to all users or policies that enforce protection on scenarios not covered by policies for other personas

Admins

We define admins in this context as any non-guest identity (cloud or synced) that have any Azure AD or other Microsoft 365 admin Role (like in MDCA, Exchange, Defender for Endpoints or Compliance). As guests who have such roles are covered in a separate persona, guests are excluded from this persona.

Internals

Internals cover all users who have an AD account synced to Azure AD who are em