Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
🔒 Cybersecurity

Conditional Access Policies Explained: Essential Policies for Every M365 Tenant

Published 1 September 2024 · Updated March 2025
Jack Davies
jackdjd.com
10 min read

Conditional Access is the policy engine at the heart of Microsoft Entra ID. It lets you define the conditions under which a user is allowed to access a resource - and what they need to prove before they get in. It sits between the user's authentication attempt and the application they're trying to reach, evaluating signals in real time before granting or blocking access.

For any organisation using Microsoft 365, Conditional Access is the single most important security control you can configure. This guide covers what it is, how it works, and the essential policies every environment should have.

How Conditional Access Works

🔍 Overview

Every Conditional Access policy has three parts:

  • Assignments: who the policy applies to (users, groups, roles) and what it applies to (apps, actions, authentication contexts)
  • Conditions: when the policy triggers (device platform, location, sign-in risk, client app)
  • Grant controls: what the user must satisfy to get through (MFA, compliant device, approved app, etc.)

Policies are evaluated at sign-in time. If any Block policy matches, the user is blocked. If a Grant policy matches, they must satisfy its controls. If no policy matches, access is granted with no additional requirements - which is why having the right policies in place matters.

⚠️
Report-only mode first: always
Always create new Conditional Access policies in Report-only mode before enabling them. This lets you see which users would be affected without actually blocking anyone. Monitor the Sign-in logs for a few days before switching to Enabled.

Essential Policy 1: Require MFA for All Users

🔐 MFA

The most important policy. Requires multi-factor authentication for all cloud app sign-ins.

entra.microsoft.com Protection Conditional Access New policy
🔐
Require MFA: All Users
Baseline protection for every sign-in
UsersTarget all users. Exclude your break-glass emergency access accounts.
All users (excl. break-glass)
Target resources
All cloud apps
Grant
Require MFA
Policy state
Enabled
ℹ️
Break-glass accounts
Always maintain at least two emergency access (break-glass) accounts excluded from all Conditional Access policies. These are cloud-only Global Admin accounts with long random passwords, used only if you lock yourself out. Store credentials in a secure offline location.

Essential Policy 2: Require Compliant Device

💻 Device Compliance

Blocks access from devices that are not Intune-enrolled and compliant. This is essential once you have Intune compliance policies deployed - it enforces that devices must meet your standards before accessing corporate data.

💻
Require Compliant Device
Block access from unmanaged or non-compliant devices
UsersTarget corporate users. Exclude external guests and service accounts.
All users (excl. guests)
Target resources
All cloud apps
Grant - require one of:Use "Or". allows compliant devices OR Entra Hybrid Joined devices.
Compliant device OR Hybrid joined
Policy state
Enabled

Essential Policy 3: Block Legacy Authentication

🚫 Block

Legacy authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) cannot perform MFA. Attackers specifically target these protocols because they bypass modern authentication controls entirely. This policy blocks them outright.

🚫
Block Legacy Authentication
Eliminate MFA-bypass attack surface
Users
All users
Target resources
All cloud apps
Conditions → Client apps
Exchange ActiveSync + Other clients
Grant
Block access
Policy state
Enabled
⚠️
Check for legacy auth usage first
Before enabling this policy, check the Entra Sign-in logs filtered to "Other clients" to see if any users or services are still using legacy protocols. Shared mailboxes and older line-of-business apps are common culprits. Run in Report-only mode for at least a week first.

Essential Policy 4: Require MFA for Admins

👑 Privileged Accounts

Privileged accounts are the highest-value target for attackers. This policy requires MFA specifically for users with admin roles - even stricter than the baseline MFA policy, as it can require phishing-resistant MFA methods like FIDO2 keys.

👑
MFA for Admins
Enforce strong auth for all privileged roles
Users - include rolesSelect all relevant admin roles. At minimum: Global Admin, Security Admin, Privileged Role Admin, Exchange Admin, SharePoint Admin.
All admin roles
Target resources
All cloud apps
Grant
Require auth strength: MFA
Policy state
Enabled

Sign-in Risk Policies

⚠️ Risk-based

If you have Microsoft Entra ID P2, you can create risk-based policies that automatically respond to suspicious sign-in behaviour detected by Microsoft's threat intelligence. These are some of the most powerful controls available.

⚠️
High Risk Sign-in → Block
Requires Entra ID P2
Users
All users
Conditions → Sign-in risk
High
Grant
Block access
⚠️
Medium Risk Sign-in → Require MFA
Requires Entra ID P2
Users
All users
Conditions → Sign-in risk
Medium and above
Grant
Require MFA

Named Locations

🌍 Locations

Named Locations let you define trusted IP ranges (like your office network) and use them as conditions in policies. For example, you might require MFA only from outside the office, or block sign-ins from countries you don't operate in.

entra.microsoft.com Protection Conditional Access Named locations → New IP ranges location

Once created, you can use locations as conditions - for example, blocking access from outside the UK entirely, or only requiring MFA when a user signs in from an unknown location.

Recommended deployment order
Deploy policies in this order to minimise disruption: 1) Block legacy auth 2) Require MFA for admins 3) Require MFA for all users 4) Require compliant device 5) Risk-based policies. Each one in report-only mode first, then enable after monitoring for 5–7 days.
Conditional AccessEntra IDMicrosoft 365Zero TrustMFASecurityIdentity
J
Jack Davies
IT Engineer · M365 & Intune Specialist

Jack is an IT Technical Engineer based in the UK, working day-to-day with Microsoft 365, Intune, and Entra ID across a range of businesses. He holds the MS-900 certification and is studying for a BSc in Cyber Security through the Open University. Outside of work he builds and documents home lab projects, writes guides on this site, and takes on M365 consulting work for small businesses.

About Jack → LinkedIn →
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.