Conditional Access Policies
Configuring Entra ID Conditional Access for secure authentication.
How It Works
Conditional Access policies in Microsoft Entra ID act as if-then statements: if a user wants to access a resource, then they must complete an action. Policies evaluate signals like user identity, device compliance, location, and real-time risk level to make access decisions.
Common Policies
- Require MFA for all users accessing cloud applications
- Block legacy authentication protocols (POP, IMAP, SMTP basic auth)
- Require compliant or Hybrid Azure AD joined devices
- Restrict sign-ins from untrusted or anonymous locations
- Require app protection policies on mobile devices
- Force password change when user risk is detected as high
Warning
Always deploy policies in report-only mode first to assess impact before switching to enforcement. A misconfigured policy can lock out your entire organisation — including administrators.
Tip
Create a "break glass" emergency access account that is excluded from all Conditional Access policies. Store its credentials securely and monitor its sign-in logs with alerts.
Managing Policies with PowerShell
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, CreatedDateTime |
Format-Table -AutoSizeBackup and Version Control
Regularly export your Conditional Access policies to JSON so you have a backup and an audit trail of changes over time. Store the exports in a version-controlled repository.
$policies = Get-MgIdentityConditionalAccessPolicy
foreach ($policy in $policies) {
$policy | ConvertTo-Json -Depth 10 |
Out-File "C:\CA_Backup\$($policy.DisplayName).json"
}Tip
Use the "What If" tool in the Entra portal to simulate how a specific user, device, and location combination would be evaluated against your policies before making changes.