99.9%
Reduction in account compromise risk for accounts with MFA enabled: Microsoft's internal telemetry from millions of accounts
Legacy auth
Authentication protocols (SMTP, IMAP, POP3, older Office clients) that cannot perform MFA: blocking them closes the most common M365 account takeover vector
Report-only
Conditional Access mode that logs what would happen without enforcing: use for all new policies before switching to Enforce to avoid unexpected lockouts
Break-glass
Emergency admin accounts excluded from all CA policies: required before enabling any policies that could lock out all administrators

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Azure Conditional Access is powerful but ships with nothing configured. A freshly created Microsoft 365 tenant allows sign-in from any device, any location, using any protocol: including legacy protocols that cannot enforce MFA and are the primary vector for Business Email Compromise.

Deploying Conditional Access policies incorrectly locks out administrators. Deploying them correctly takes a specific sequence: create break-glass accounts first, deploy in Report-Only mode, review the sign-in logs, then switch to Enforce.

Before Any Policy: Create Break-Glass Accounts

Break-glass accounts are emergency admin accounts excluded from all Conditional Access policies. If you misconfigure a policy that blocks all admin access, break-glass accounts let you recover without a Microsoft support ticket.

# Create two break-glass accounts in the tenant
# PowerShell with Microsoft.Graph module:
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All"

$breakGlass1 = New-MgUser -DisplayName "Break Glass 01" \
  -UserPrincipalName "breakglass01@yourdomain.onmicrosoft.com" \
  -AccountEnabled $true \
  -PasswordProfile @{
    Password = (New-Guid).ToString() + (New-Guid).ToString()  # Very long random password
    ForceChangePasswordNextSignIn = $false
  } \
  -PasswordPolicies "DisablePasswordExpiration"

# Assign Global Administrator role
New-MgDirectoryRoleMemberByRef \
  -DirectoryRoleId $(Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id \
  -OdataId "https://graph.microsoft.com/v1.0/users/$($breakGlass1.Id)"

Break-glass account requirements:

  • Use the .onmicrosoft.com domain (not federated: available even if federation breaks)
  • No MFA registered: these accounts need to bypass MFA if MFA is broken
  • Passwords stored in a physical safe, not a password manager (which may also be inaccessible during an incident)
  • Monitor any sign-in to these accounts immediately: their use indicates an emergency or a breach
  • Create a named location for the specific IP of the physical office safe location (optional but useful)

Create a break-glass exclusion group: Add both break-glass accounts to a group named "CA-Exclusion-Break-Glass" and exclude this group from every Conditional Access policy you create.

Policy 1: Require MFA for All Users

This is the highest-impact policy in any Entra ID tenant. Deploy it in Report-Only first.

Portal path: Entra ID > Protection > Conditional Access > New policy

Policy: Require MFA for All Users
State: Report-only (switch to On after review)

Assignments:
  Users: All users
  Exclude: CA-Exclusion-Break-Glass group
  Exclude: Directory Synchronization Accounts (service accounts for AD Connect)
  Cloud apps: All cloud apps
  Conditions: (none: apply to all sign-ins)

Access controls > Grant:
  Grant access
  Require multifactor authentication: Checked
  Require all selected controls

Session: (leave default)

PowerShell alternative:

$policyParams = @{
  DisplayName = "Require MFA for All Users"
  State = "enabledForReportingButNotEnforced"  # Report-only
  Conditions = @{
    Users = @{
      IncludeUsers = @("All")
      ExcludeGroups = @($breakGlassGroupId)
    }
    Applications = @{
      IncludeApplications = @("All")
    }
  }
  GrantControls = @{
    Operator = "OR"
    BuiltInControls = @("mfa")
  }
}
New-MgIdentityConditionalAccessPolicy @policyParams

Review report-only sign-in logs before enforcing:

Entra ID > Sign-in logs > Filter: CA policy = Require MFA for All Users > Result = Report-only: would fail

For each failure:
- Identify the user and app
- If it is a service account → add to exclusion group with justification
- If it is a legitimate user with no MFA registered → initiate MFA registration campaign
- If it is a shared mailbox → shared mailboxes should use app-only authentication, not user passwords
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Policy 2: Block Legacy Authentication

Legacy authentication protocols (SMTP AUTH, IMAP, POP3, older ActiveSync, older Office clients) cannot perform MFA. Attackers use credential-stuffing tools that specifically target these endpoints because even accounts with MFA can be compromised via legacy auth.

Policy: Block Legacy Authentication
State: Report-only (then On after 1-2 weeks of review)

Assignments:
  Users: All users
  Exclude: CA-Exclusion-Break-Glass
  Cloud apps: All cloud apps
  Conditions:
    Client apps:
      Exchange ActiveSync clients: Checked
      Other clients: Checked
      (Leave Browser and Mobile apps/Desktop apps unchecked: these support modern auth)

Access controls > Grant:
  Block access

Identify legacy auth usage before blocking:

# Find all sign-ins using legacy auth protocols in the last 30 days
Connect-MgGraph -Scopes "AuditLog.Read.All"
$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")

Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" \
  -Top 200 | 
  Group-Object UserPrincipalName, ClientAppUsed | 
  Select-Object Count, Name | Sort-Object Count -Descending

Common legacy auth sources to investigate:

  • Printers and MFPs sending scan-to-email via SMTP AUTH
  • Legacy line-of-business applications using Exchange
  • Old mobile devices using Basic Auth for Exchange
  • Scripts using EWS with username/password

For each: migrate to app passwords, OAuth client credentials, or modern auth before enforcing the block.

Policies 3-5: Admin Protection, Device Compliance, Risk-Based

Policy 3: Require Phishing-Resistant MFA for Admins

Admin accounts should use stronger MFA than regular users: hardware FIDO2 keys or Windows Hello for Business, not SMS or TOTP apps:

Policy: Require Phishing-Resistant MFA for Admin Roles
State: Report-only → On

Assignments:
  Users:
    Include: Directory roles:
      Global Administrator, Privileged Role Administrator,
      Security Administrator, Exchange Administrator,
      SharePoint Administrator, Compliance Administrator,
      Conditional Access Administrator, Application Administrator
  Exclude: CA-Exclusion-Break-Glass
  Cloud apps: All cloud apps

Access controls > Grant:
  Grant access
  Require authentication strength: Phishing-resistant MFA
  (Options: Windows Hello for Business, FIDO2 security keys, Certificate-based auth)

Policy 4: Require Compliant Device for Sensitive Apps

Policy: Require Compliant Device for Microsoft 365
State: Report-only → On

Assignments:
  Users: All users
  Exclude: CA-Exclusion-Break-Glass
  Cloud apps:
    Select apps: Office 365, Microsoft Azure Management
  Conditions:
    Device platforms: Windows, macOS, iOS, Android

Access controls > Grant:
  Require device to be marked as compliant (Intune) OR
  Require Hybrid Azure AD joined device
  Require one of selected controls

Policy 5: Block High-Risk Sign-Ins (Requires Entra ID P2)

Policy: Block or Require MFA for Risky Sign-Ins
State: Report-only → On

Assignments:
  Users: All users
  Exclude: CA-Exclusion-Break-Glass
  Cloud apps: All cloud apps
  Conditions:
    Sign-in risk: High (block), Medium (require MFA)
    User risk: High (require password change + MFA)

Access controls:
  For High sign-in risk: Block access
  For Medium sign-in risk: Require MFA
  For High user risk: Grant access + Require MFA + Require password change

Sign-in risk signals include:

  • Anonymous IP address (Tor, known VPN exit nodes)
  • Atypical travel (impossible travel: logged in from London and New York within 2 hours)
  • Malware-linked IP address
  • Unfamiliar sign-in properties (new device, new location)
  • Leaked credentials (MSFT monitors breach databases for matching credentials)

Deployment sequence summary:

  1. Create break-glass accounts and exclusion group
  2. Deploy all policies in Report-Only
  3. Review sign-in logs for 1-2 weeks, fix service accounts and legacy auth
  4. Enable Block Legacy Auth → monitor 1 week
  5. Enable Require MFA for All Users
  6. Enable Admin policies
  7. Enable device compliance (after Intune enrollment is complete)
  8. Enable risk-based policies (if P2 licensed)

The bottom line

Azure Conditional Access ships with no policies configured: the entire enforcement model requires intentional setup. Deploy in this sequence: create break-glass emergency accounts excluded from all policies, deploy each policy in Report-Only mode first, review sign-in logs to identify service accounts and legacy auth sources, then enable policies one at a time. The five essential policies: require MFA for all users, block legacy authentication (closes the biggest account takeover vector), require phishing-resistant MFA for admin roles, require compliant devices for Microsoft 365, and block high-risk sign-ins (requires P2 licensing).

Frequently asked questions

What Azure Conditional Access policies should every organization have?

Five baseline policies: require MFA for all users, block legacy authentication protocols (SMTP, IMAP, POP3, older clients that cannot do MFA), require phishing-resistant MFA for administrator roles, require Intune-compliant or Hybrid Azure AD joined devices for Microsoft 365 access, and block high-risk sign-ins (requires Entra ID P2). Deploy all in Report-Only mode first, review sign-in logs for unintended impacts, then enforce.

What is a break-glass account in Azure AD?

A break-glass account is an emergency administrator account excluded from all Conditional Access policies: used when a misconfigured policy blocks all admin access. Requirements: use the .onmicrosoft.com domain (not federated), have no MFA registered, store the password in a physical safe, and monitor any sign-in to these accounts immediately (their use signals either an emergency or a breach).

What Azure Conditional Access policies should every organization enable?

Five baseline Conditional Access policies for every Microsoft 365 tenant: (1) Require MFA for all users (including admins); (2) Block legacy authentication (ActiveSync, SMTP AUTH, IMAP, POP) — these cannot support MFA; (3) Require compliant or hybrid-joined device for accessing corporate resources; (4) Require MFA for Azure management (protects Azure portal and CLI access); (5) Sign-in risk-based policy using Identity Protection — require MFA step-up or block on medium/high risk sign-ins. Start in report-only mode for each policy to understand impact before enabling. Deploy them in order: MFA first, then legacy auth block, then device compliance.

How do I block legacy authentication in Microsoft 365?

Legacy authentication protocols (SMTP AUTH, Exchange ActiveSync, IMAP, POP3, Outlook 2010/2013 without modern auth) cannot perform MFA: they are a primary attack vector for credential stuffing and password spray. Block via Conditional Access: create a policy targeting 'Exchange ActiveSync clients' and 'Other clients' (the other clients condition covers SMTP AUTH, IMAP, POP) with an action of Block. Before enabling, check the Entra ID sign-in logs filtered by 'Client app: Legacy Authentication Clients' to identify users and services still using legacy auth. Common legacy auth consumers: shared mailboxes used by scripts, older Outlook versions, on-premises systems forwarding email via SMTP AUTH.

What is Conditional Access named locations and how do I use it?

Named locations are trusted IP ranges or country/region lists you define in Entra ID for use in Conditional Access policies. Use cases: require MFA for sign-ins from outside corporate office IP ranges (trusted location = your IP, untrusted = everywhere else); block sign-ins from countries where your organization has no employees; allow legacy auth only from on-premises IP ranges where legacy systems live. Configure in Entra ID > Security > Conditional Access > Named locations. For country-based blocking, use the 'Countries and Regions' location type. Note: VPN usage, traveling employees, and remote work all generate sign-ins from 'untrusted' locations — design policies to require MFA from untrusted locations rather than outright block.

How do I audit which service accounts and shared mailboxes are excluded from Conditional Access MFA policies?

Pull the exclusion list directly from the Conditional Access policy via Microsoft Graph: Connect-MgGraph with Policy.Read.All scope, then run Get-MgIdentityConditionalAccessPolicy and inspect each policy's Conditions.Users.ExcludeGroups and ExcludeUsers arrays. Expand group memberships recursively to get the full set of excluded principals. For each excluded account, verify it has a documented justification and review date -- exclusions without documentation are a common audit finding. Service accounts should use workload identity federation or managed identities rather than password-based exclusions where possible; shared mailboxes should be converted to resource mailboxes that block interactive sign-in (Set-MsolUser -BlockCredential $true) rather than being excluded from CA policies. Schedule a quarterly review of all excluded principals and remove any that no longer require the exclusion.

Sources & references

  1. Microsoft: Conditional Access Best Practices
  2. Microsoft: Common Conditional Access Policies
  3. Microsoft Secure Score: Conditional Access Recommendations

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.