IT Hub

Best Practices for Conditional Access Policy in Microsoft Tools

Reco Security Experts
June 6, 2024
June 6, 2024

Best Practices for Configuring Conditional Access Policy in Microsoft Tools

Conditional Access policies are pivotal in today's digital landscape to ensure secure access to organizational resources. They provide granular control over who can access what, from where, and under what conditions. Effectively configuring these policies is essential to maintaining a robust security posture.

Building Your Policy

A Conditional Access policy is an if-then statement involving assignments and access controls. It brings signals together to make decisions and enforce organizational policies.

How Does an Organization Create These Policies? What is Required? How are They Applied?

Multiple Conditional Access policies might apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires MFA and another requires a compliant device, you must complete MFA and use a compliant device. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.

If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.

All policies are enforced in two phases:

Phase 1: Collect session details

  • Gather session details, like network location and device identity, necessary for policy evaluation.
  • Phase 1 of policy evaluation occurs for enabled policies and those in report-only mode.

Phase 2: Enforcement

  • Use the session details gathered in phase 1 to identify any requirements that aren't met.
  • If a policy is configured with the block grant control, enforcement stops here, and the user is blocked.
  • The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order until the policy is satisfied. These requirements include:
    • MFA
    • Device to be marked as compliant
    • Microsoft Entra hybrid joined device
    • Approved client app
    • App protection policy
    • Password change
    • Terms of use
    • Custom controls
  • Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and Token Lifetime)

Phase 2 of policy evaluation occurs for all enabled policies.


The assignments portion controls the who, what, and where of the Conditional Access policy.

Users and groups

Users and groups assign who the policy includes or excludes when applied. This assignment can include all users, specific groups of users, directory roles, or external guest users.

Target resources

Target resources can include or exclude cloud applications, user actions, or authentication contexts that are subjected to the policy.


Network contains IP addresses, geographies, and a Global Secure Access compliant network to Conditional Access policy decisions. Administrators can choose to define locations and mark some as trusted, like those for their organization's primary network locations.


A policy can contain multiple conditions.

risk

For organizations with Microsoft Entra ID Protection, the risk detections generated there can influence your Conditional Access policies.

Device platforms

Organizations with multiple device operating system platforms might enforce specific policies on different platforms. The information used to calculate the device platform comes from unverified sources, such as user agent strings that can be changed.

Client apps

The software the user is employing to access the cloud app, for example, 'Browser' and 'Mobile apps and desktop clients'. By default, all newly created Conditional Access policies apply to all client app types even if the client app's condition isn't configured.

Filter for devices

This control allows targeting specific devices based on their attributes in a policy.

Access controls

The access controls portion of the Conditional Access policy controls how a policy is enforced.

Block access

Block access does just that, and it blocks access under the specified assignments. The block control is powerful and should be wielded with the appropriate knowledge.

Grant access

Grants provide administrators with a means of policy enforcement where they can block or grant access. The grant control can trigger the enforcement of one or more controls.

  • Require MFA
  • Require the device to be marked as compliant (Intune)
  • Require Microsoft Entra hybrid joined device
  • Require approved client app
  • Require an app protection policy
  • Require password change
  • Require terms of use

Administrators can choose to require one of the previous controls or all selected controls using the following options. The default for multiple controls is to require all.

  • Require all the selected controls (control and control)
  • Require one of the selected controls (control or control)


Session controls can limit the users’ experience.

  • Use app-enforced restrictions
    1. Currently works with Exchange Online and SharePoint Online only.
    2. Passes device information to allow control of experience, granting full or limited access.
  • Use Conditional Access App Control
    1. Uses signals from Microsoft Defender for Cloud Apps to do things like:
      • Block download, cut, copy, and print of sensitive documents.
      • Monitor risky session behavior.
      • Require labeling of sensitive files.
  • Sign-in frequency
    1. Ability to change the default sign-in frequency for modern authentication.
  • Persistent browser session
    1. Allows users to remain signed in after closing and reopening their browser window.
  • Customize continuous access evaluation
  • Disable resilience defaults

Simple policies

A Conditional Access policy must contain, at minimum, the following to be enforced:

  • Name of the policy.
  • Assignments
    • Users and/or groups to apply the policy to.
    • Cloud apps or actions to apply the policy to.
  • Access controls
    • Grant or Block controls

Best Practices for Conditional Access Policy in Microsoft Tools

1. Define Clear Objectives

Before diving into configuring Conditional Access policies, it's crucial to establish clear objectives. Identify what assets need protection, potential threats, and compliance requirements. Understanding these factors helps tailor policies to specific needs, ensuring they align with organizational goals.

2. Start with a Risk Assessment

Conduct a comprehensive risk assessment to identify potential vulnerabilities and threats. Understand the sensitivity of data and the impact of unauthorized access. This assessment serves as a foundation for designing policies that mitigate identified risks effectively.

3. Embrace the Principle of Least Privilege

Adopt the principle of least privilege when designing access policies. Grant users the minimum level of access required to perform their duties effectively. This approach minimizes the attack surface and reduces the potential impact of security breaches.

4. Leverage Multi-Factor Authentication (MFA)

Require MFA for accessing sensitive resources, especially from unfamiliar locations or devices. MFA adds an extra layer of security by verifying user identity through multiple factors such as passwords, biometrics, or tokens, significantly reducing the risk of unauthorized access.

5. Implement Conditional Access Based on Risk

Use risk-based Conditional Access policies to dynamically adjust access controls based on the perceived risk level. Factors such as user location, device health, and behavior patterns can influence access decisions. This adaptive approach enhances security without unduly restricting user productivity.

6. Consider User Experience

While prioritizing security, it's essential to maintain a balance with user experience. Configure policies that seamlessly integrate into users' workflows without causing unnecessary friction. Avoid overly restrictive policies that hinder productivity or lead to user frustration.

7. Monitor and Review Regularly

Security is an ongoing process, not a one-time task. Establish a regular cadence for monitoring and reviewing Conditional Access policies. Analyze access logs, user feedback, and security incidents to identify potential gaps or areas for improvement. Adjust policies accordingly to address evolving threats and business requirements.

8. Educate Users

Invest in user education and awareness programs to ensure employees understand the importance of Conditional Access policies. Provide training on recognizing phishing attempts, the significance of MFA, and best practices for secure access. A well-informed user base is an invaluable asset in maintaining a secure environment.

9. Test Policies in a Staged Environment

Before deploying new or modified policies into production, conduct thorough testing in a staged environment. Simulate different scenarios to assess the impact of policies on user access and system behavior. This testing helps identify any unintended consequences or compatibility issues before implementation.

10. Stay Updated with Industry Trends

The threat landscape is constantly evolving, with new vulnerabilities and attack vectors emerging regularly. Stay abreast of industry trends, security advisories, and best practices to adapt Conditional Access policies accordingly. Engage with security communities and participate in relevant forums to exchange knowledge and insights.


Configuring effective Conditional Access policies is essential for protecting organizational assets in today's dynamic threat landscape. By following best practices such as defining clear objectives, conducting risk assessments, and embracing the principle of least privilege, organizations can enhance their security posture while maintaining user productivity. Regular monitoring, user education, and staying updated with industry trends are key to ensuring the continued effectiveness of these policies in mitigating evolving threats.

Explore More
See more articles from our Hub