Skip to content
Microsoft Entra ID Conditional Access

Microsoft Entra Conditional Access: Improve Microsoft 365 Security

Goal: help you reduce account takeover risk and protect data in Microsoft 365 with minimal user friction.

 

What Conditional Access (CA) does

CA evaluates sign-ins based on who the user is, what they’re accessing, device posture, location, and risk signals. It then decides to allow, challenge (e.g., MFA), or block. Think of it as guardrails that adapt to context.

 

 

Principles we recommend

  • Cover broadly, exempt narrowly. Start wide; carve out only what’s necessary.
  • Prefer posture over perimeter. Device compliance and identity risk beat IP allowlists.
  • Stage changes safely. Report-only → pilot → enforce.
  • Make it observable. Name policies clearly, log outcomes, and review regularly.

AB Computer’s baseline policy set

Use these as starting points and adjust to your environment.

 

  1. MFA for everyone
    • Include: All users.
    • Exclude: Two emergency (“break-glass”) Global Admin accounts.
    • Notes: Encourage strong factors (authenticator app, hardware keys where feasible).
  2. Harden admin roles and portals
    • Target: Admin roles and Microsoft admin portals (Entra, Exchange, Intune, M365 Admin).
    • Controls: Require MFA and a managed/compliant device (or trusted network for break-glass scenarios).
  3. Block legacy/basic authentication
    • Scope: Tenant-wide.
    • Why: Legacy protocols don’t support modern MFA and are a common entry point for attacks.
  4. Device-based access for sensitive data
    • Apps: SharePoint, OneDrive, Exchange, Teams, and any app with customer data.
    • Controls:
      • Managed devices: Full access (view/sync/download).
      • Unmanaged devices (BYOD): Web-only with download/copy restrictions where possible.
  5. Location-aware rules (supporting control)
    • Named locations: Define HQ/VPN egress IPs.
    • Optional: Block countries you never operate in.
    • Note: Do not rely on geo alone—pair with MFA/device posture.
  6. Session management
    • Sign-in frequency: Reasonable interval (e.g., 12–24 hours for web apps).
    • Persistent browser sessions: Limit for high-risk roles (admins, finance, HR).
  7. Secure MFA registration
    • Controls: Allow MFA registration only from trusted networks or compliant devices.
  8. Risk-based policies (if licensed)
    • Sign-in risk: Medium/High → require MFA; High → block or step-up plus remediation.
    • User risk: High → require secure password change.

 

Licensing note: Core CA typically needs Entra ID P1; risk-based controls require P2. Check your current subscriptions before enabling risk policies.

+1 (831) 422-13551215 N. Davis Rd., Salinas, CA 93907

Contact Us

Microsoft Dynamics 365, SharePoint, Cloud, ERP, Field Service, Finance and Operations, CRM and Marketing Consultant in California, Utah and Tennessee. Microsoft Gold Partner and Okta top 20 World-Wide Partner. © 2025 AB Computer a JourneyTEAM company. All Rights Reserved. Privacy Policy | Terms of Use
Website designed by AB Computer.
Entra Conditional Access: Secure Microsoft 365