Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
☁ M365 Security

How to Set Up Conditional Access Policies in Microsoft 365

Published 20 March 2026
Jack Davies
10 min read

Conditional Access is one of the most important security controls available in Microsoft 365. It sits between your users and every cloud app in your tenant - deciding whether to allow access, require MFA, block entirely, or apply other conditions based on signals like sign-in risk, device compliance, location, and which app is being accessed.

A tenant with no Conditional Access policies is relying entirely on passwords to protect everything. Given how often credentials get stolen through phishing, that is not a position you want to be in. This guide walks through setting up the policies that matter most, in the right order, without locking anyone out in the process.

Contents
  1. How Conditional Access Works
  2. Before You Start
  3. Policy 1: Require MFA for All Users
  4. Policy 2: Block Legacy Authentication
  5. Policy 3: Block High-Risk Sign-Ins
  6. Policy 4: Require Compliant Device
  7. Policy 5: Protect Admin Accounts
  8. Always Use Report-Only Mode First

How Conditional Access Works

💡 Concepts

Every Conditional Access policy is built from the same structure: assignments (who and what the policy applies to) and access controls (what happens when the conditions are met). When a user signs in, Entra ID evaluates every enabled policy and applies the most restrictive grant control that matches.

Policies are evaluated at the point of authentication, not at set-up time. Adding a policy takes effect immediately for any new sign-in attempts - existing sessions are not affected until the token refreshes.

⚠️
Break-glass accounts
Before creating any Conditional Access policy, set up at least one break-glass admin account and exclude it from all policies. This is an emergency-only account with no MFA requirement, stored securely, used only if the tenant gets locked out. Without this, a misconfigured policy can lock every admin out of the tenant simultaneously.

Before You Start

📋 Prerequisites

Conditional Access requires Microsoft Entra ID P1 at minimum (included in Microsoft 365 Business Premium, E3, E5). Risk-based policies require P2 (E5 or Microsoft Entra ID P2 add-on).

Before enabling any policy in enforcement mode, confirm:

  • MFA registration is complete for all users (or at least near-complete). A policy requiring MFA will block anyone who has not registered yet.
  • You have a break-glass account excluded from all policies.
  • Service accounts and shared mailboxes used by automation are identified - they need separate handling or exclusions.

Policy 1: Require MFA for All Users

🔒 MFA Enforcement

This is the baseline. Every sign-in to any cloud app requires MFA unless already satisfied by a compliant device or other trusted signal.

entra.microsoft.comProtectionConditional AccessNew Policy
🔒
Require MFA - All Users
Applies to every cloud app sign-in
UsersExclude your break-glass account and any service accounts that cannot do MFA.
All users (excl. break-glass)
Target resources
All cloud apps
Conditions - Sign-in riskLeave unset to apply to all sign-ins regardless of risk level.
Not configured
Grant - Require multifactor authentication
Enabled
Session - Sign-in frequencyOptional: set to 1 hour for high-sensitivity environments. Default token lifetime applies otherwise.
Not configured
Enable policy
Report-only first

Policy 2: Block Legacy Authentication

🚫 Block Legacy Auth

Legacy authentication protocols (SMTP AUTH, IMAP, POP3, older Office clients) cannot perform MFA. Any attacker with a stolen password can authenticate through these protocols regardless of your MFA policy. Block them.

🚫
Block Legacy Authentication
Closes the MFA bypass used by credential stuffing attacks
Users
All users
Target resources
All cloud apps
Conditions - Client appsSelect: Exchange ActiveSync clients, Other clients
Legacy protocols only
Grant
Block access
⚠️
Check for legacy auth dependencies first
Use the Entra ID Sign-in logs filtered to "Other clients" or "Exchange ActiveSync" to identify who is still using legacy protocols before blocking. Old printers, scan-to-email devices, and legacy line-of-business applications are the most common offenders. Migrate them to modern auth or exclude their service accounts before enforcing the block.

Policy 3: Block High-Risk Sign-Ins

🚫 Risk Policy

Requires Entra ID P2. When Entra ID Identity Protection detects a high-risk sign-in (anonymous proxy, impossible travel, known malicious IP), block it outright or require MFA plus password change.

⚠️
Block High Sign-In Risk
Requires Entra ID P2
Users
All users
Target resources
All cloud apps
Conditions - Sign-in risk
High
GrantBlock completely. Legitimate high-risk detections can be dismissed manually in the Identity Protection portal.
Block access

Policy 4: Require Compliant Device

🛠️ Device Compliance

Requires Intune device compliance policies to be in place. Once configured, this policy only allows access to company resources from devices that pass compliance checks (BitLocker enabled, AV running, OS patch level met, etc.).

💻
Require Compliant or Hybrid-Joined Device
Pairs with Intune compliance policies
UsersStart with a pilot group, not all users. Expand once tested.
Pilot group first
Target resources
All cloud apps
Grant - Require device to be marked as compliant
Enabled
Grant - Require Hybrid Azure AD joined deviceEnable this too if you have on-premises domain-joined machines.
Enabled
Require one of the selected controls
Yes (either/or)

Policy 5: Protect Admin Accounts

🛡️ Admin Protection

Admin accounts are the highest-value target in any Microsoft 365 tenant. Apply stricter controls to anyone holding a privileged role - require a compliant device, no persistent browser sessions, and always-on MFA regardless of trusted location.

🛡️
Strict Controls for Privileged Roles
Applied to all directory roles - adjust to match your environment
Users - Include directory rolesGlobal Admin, Security Admin, Exchange Admin, SharePoint Admin, Teams Admin at minimum.
All privileged roles
Target resources
All cloud apps
Grant - Require MFA
Enabled
Grant - Require compliant device
Enabled
Session - Persistent browser sessionPrevents admins staying signed in across browser sessions.
Never persistent
Session - Sign-in frequency
Every 4 hours

Always Use Report-Only Mode First

✅ Testing

Every policy should be created in Report-only mode before switching to enforcement. Report-only evaluates what the policy would have done without actually blocking or requiring anything. Review the results in the Sign-in logs under the "Conditional Access" tab for each entry.

A typical test cycle: create in report-only, leave for 48-72 hours, review logs for unexpected blocks (look for legitimate users who would have been denied), adjust exclusions, then switch to On.

Use the What If tool
The What If tool in Conditional Access lets you simulate a specific sign-in scenario - choose a user, app, IP, device, and see exactly which policies would apply and what the result would be. Navigate to Conditional Access and click "What If" in the top toolbar. Use it before and after policy changes to confirm the behaviour is what you expect.
Conditional Access Microsoft 365 Entra ID MFA Zero Trust M365 Security
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.