Azure Conditional Access Policies: The Settings That Actually Matter for Security

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Azure Conditional Access is powerful but ships with nothing configured. A freshly created Microsoft 365 tenant allows sign-in from any device, any location, using any protocol: including legacy protocols that cannot enforce MFA and are the primary vector for Business Email Compromise.
Deploying Conditional Access policies incorrectly locks out administrators. Deploying them correctly takes a specific sequence: create break-glass accounts first, deploy in Report-Only mode, review the sign-in logs, then switch to Enforce.
Before Any Policy: Create Break-Glass Accounts
Break-glass accounts are emergency admin accounts excluded from all Conditional Access policies. If you misconfigure a policy that blocks all admin access, break-glass accounts let you recover without a Microsoft support ticket.
# Create two break-glass accounts in the tenant
# PowerShell with Microsoft.Graph module:
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All"
$breakGlass1 = New-MgUser -DisplayName "Break Glass 01" \
-UserPrincipalName "breakglass01@yourdomain.onmicrosoft.com" \
-AccountEnabled $true \
-PasswordProfile @{
Password = (New-Guid).ToString() + (New-Guid).ToString() # Very long random password
ForceChangePasswordNextSignIn = $false
} \
-PasswordPolicies "DisablePasswordExpiration"
# Assign Global Administrator role
New-MgDirectoryRoleMemberByRef \
-DirectoryRoleId $(Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id \
-OdataId "https://graph.microsoft.com/v1.0/users/$($breakGlass1.Id)"
Break-glass account requirements:
- Use the .onmicrosoft.com domain (not federated: available even if federation breaks)
- No MFA registered: these accounts need to bypass MFA if MFA is broken
- Passwords stored in a physical safe, not a password manager (which may also be inaccessible during an incident)
- Monitor any sign-in to these accounts immediately: their use indicates an emergency or a breach
- Create a named location for the specific IP of the physical office safe location (optional but useful)
Create a break-glass exclusion group: Add both break-glass accounts to a group named "CA-Exclusion-Break-Glass" and exclude this group from every Conditional Access policy you create.
Policy 1: Require MFA for All Users
This is the highest-impact policy in any Entra ID tenant. Deploy it in Report-Only first.
Portal path: Entra ID > Protection > Conditional Access > New policy
Policy: Require MFA for All Users
State: Report-only (switch to On after review)
Assignments:
Users: All users
Exclude: CA-Exclusion-Break-Glass group
Exclude: Directory Synchronization Accounts (service accounts for AD Connect)
Cloud apps: All cloud apps
Conditions: (none: apply to all sign-ins)
Access controls > Grant:
Grant access
Require multifactor authentication: Checked
Require all selected controls
Session: (leave default)
PowerShell alternative:
$policyParams = @{
DisplayName = "Require MFA for All Users"
State = "enabledForReportingButNotEnforced" # Report-only
Conditions = @{
Users = @{
IncludeUsers = @("All")
ExcludeGroups = @($breakGlassGroupId)
}
Applications = @{
IncludeApplications = @("All")
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @("mfa")
}
}
New-MgIdentityConditionalAccessPolicy @policyParams
Review report-only sign-in logs before enforcing:
Entra ID > Sign-in logs > Filter: CA policy = Require MFA for All Users > Result = Report-only: would fail
For each failure:
- Identify the user and app
- If it is a service account → add to exclusion group with justification
- If it is a legitimate user with no MFA registered → initiate MFA registration campaign
- If it is a shared mailbox → shared mailboxes should use app-only authentication, not user passwords
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Policy 2: Block Legacy Authentication
Legacy authentication protocols (SMTP AUTH, IMAP, POP3, older ActiveSync, older Office clients) cannot perform MFA. Attackers use credential-stuffing tools that specifically target these endpoints because even accounts with MFA can be compromised via legacy auth.
Policy: Block Legacy Authentication
State: Report-only (then On after 1-2 weeks of review)
Assignments:
Users: All users
Exclude: CA-Exclusion-Break-Glass
Cloud apps: All cloud apps
Conditions:
Client apps:
Exchange ActiveSync clients: Checked
Other clients: Checked
(Leave Browser and Mobile apps/Desktop apps unchecked: these support modern auth)
Access controls > Grant:
Block access
Identify legacy auth usage before blocking:
# Find all sign-ins using legacy auth protocols in the last 30 days
Connect-MgGraph -Scopes "AuditLog.Read.All"
$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" \
-Top 200 |
Group-Object UserPrincipalName, ClientAppUsed |
Select-Object Count, Name | Sort-Object Count -Descending
Common legacy auth sources to investigate:
- Printers and MFPs sending scan-to-email via SMTP AUTH
- Legacy line-of-business applications using Exchange
- Old mobile devices using Basic Auth for Exchange
- Scripts using EWS with username/password
For each: migrate to app passwords, OAuth client credentials, or modern auth before enforcing the block.
Policies 3-5: Admin Protection, Device Compliance, Risk-Based
Policy 3: Require Phishing-Resistant MFA for Admins
Admin accounts should use stronger MFA than regular users: hardware FIDO2 keys or Windows Hello for Business, not SMS or TOTP apps:
Policy: Require Phishing-Resistant MFA for Admin Roles
State: Report-only → On
Assignments:
Users:
Include: Directory roles:
Global Administrator, Privileged Role Administrator,
Security Administrator, Exchange Administrator,
SharePoint Administrator, Compliance Administrator,
Conditional Access Administrator, Application Administrator
Exclude: CA-Exclusion-Break-Glass
Cloud apps: All cloud apps
Access controls > Grant:
Grant access
Require authentication strength: Phishing-resistant MFA
(Options: Windows Hello for Business, FIDO2 security keys, Certificate-based auth)
Policy 4: Require Compliant Device for Sensitive Apps
Policy: Require Compliant Device for Microsoft 365
State: Report-only → On
Assignments:
Users: All users
Exclude: CA-Exclusion-Break-Glass
Cloud apps:
Select apps: Office 365, Microsoft Azure Management
Conditions:
Device platforms: Windows, macOS, iOS, Android
Access controls > Grant:
Require device to be marked as compliant (Intune) OR
Require Hybrid Azure AD joined device
Require one of selected controls
Policy 5: Block High-Risk Sign-Ins (Requires Entra ID P2)
Policy: Block or Require MFA for Risky Sign-Ins
State: Report-only → On
Assignments:
Users: All users
Exclude: CA-Exclusion-Break-Glass
Cloud apps: All cloud apps
Conditions:
Sign-in risk: High (block), Medium (require MFA)
User risk: High (require password change + MFA)
Access controls:
For High sign-in risk: Block access
For Medium sign-in risk: Require MFA
For High user risk: Grant access + Require MFA + Require password change
Sign-in risk signals include:
- Anonymous IP address (Tor, known VPN exit nodes)
- Atypical travel (impossible travel: logged in from London and New York within 2 hours)
- Malware-linked IP address
- Unfamiliar sign-in properties (new device, new location)
- Leaked credentials (MSFT monitors breach databases for matching credentials)
Deployment sequence summary:
- Create break-glass accounts and exclusion group
- Deploy all policies in Report-Only
- Review sign-in logs for 1-2 weeks, fix service accounts and legacy auth
- Enable Block Legacy Auth → monitor 1 week
- Enable Require MFA for All Users
- Enable Admin policies
- Enable device compliance (after Intune enrollment is complete)
- Enable risk-based policies (if P2 licensed)
The bottom line
Azure Conditional Access ships with no policies configured: the entire enforcement model requires intentional setup. Deploy in this sequence: create break-glass emergency accounts excluded from all policies, deploy each policy in Report-Only mode first, review sign-in logs to identify service accounts and legacy auth sources, then enable policies one at a time. The five essential policies: require MFA for all users, block legacy authentication (closes the biggest account takeover vector), require phishing-resistant MFA for admin roles, require compliant devices for Microsoft 365, and block high-risk sign-ins (requires P2 licensing).
Frequently asked questions
What Azure Conditional Access policies should every organization have?
Five baseline policies: require MFA for all users, block legacy authentication protocols (SMTP, IMAP, POP3, older clients that cannot do MFA), require phishing-resistant MFA for administrator roles, require Intune-compliant or Hybrid Azure AD joined devices for Microsoft 365 access, and block high-risk sign-ins (requires Entra ID P2). Deploy all in Report-Only mode first, review sign-in logs for unintended impacts, then enforce.
What is a break-glass account in Azure AD?
A break-glass account is an emergency administrator account excluded from all Conditional Access policies: used when a misconfigured policy blocks all admin access. Requirements: use the .onmicrosoft.com domain (not federated), have no MFA registered, store the password in a physical safe, and monitor any sign-in to these accounts immediately (their use signals either an emergency or a breach).
What Azure Conditional Access policies should every organization enable?
Five baseline Conditional Access policies for every Microsoft 365 tenant: (1) Require MFA for all users (including admins); (2) Block legacy authentication (ActiveSync, SMTP AUTH, IMAP, POP) — these cannot support MFA; (3) Require compliant or hybrid-joined device for accessing corporate resources; (4) Require MFA for Azure management (protects Azure portal and CLI access); (5) Sign-in risk-based policy using Identity Protection — require MFA step-up or block on medium/high risk sign-ins. Start in report-only mode for each policy to understand impact before enabling. Deploy them in order: MFA first, then legacy auth block, then device compliance.
How do I block legacy authentication in Microsoft 365?
Legacy authentication protocols (SMTP AUTH, Exchange ActiveSync, IMAP, POP3, Outlook 2010/2013 without modern auth) cannot perform MFA: they are a primary attack vector for credential stuffing and password spray. Block via Conditional Access: create a policy targeting 'Exchange ActiveSync clients' and 'Other clients' (the other clients condition covers SMTP AUTH, IMAP, POP) with an action of Block. Before enabling, check the Entra ID sign-in logs filtered by 'Client app: Legacy Authentication Clients' to identify users and services still using legacy auth. Common legacy auth consumers: shared mailboxes used by scripts, older Outlook versions, on-premises systems forwarding email via SMTP AUTH.
What is Conditional Access named locations and how do I use it?
Named locations are trusted IP ranges or country/region lists you define in Entra ID for use in Conditional Access policies. Use cases: require MFA for sign-ins from outside corporate office IP ranges (trusted location = your IP, untrusted = everywhere else); block sign-ins from countries where your organization has no employees; allow legacy auth only from on-premises IP ranges where legacy systems live. Configure in Entra ID > Security > Conditional Access > Named locations. For country-based blocking, use the 'Countries and Regions' location type. Note: VPN usage, traveling employees, and remote work all generate sign-ins from 'untrusted' locations — design policies to require MFA from untrusted locations rather than outright block.
How do I audit which service accounts and shared mailboxes are excluded from Conditional Access MFA policies?
Pull the exclusion list directly from the Conditional Access policy via Microsoft Graph: Connect-MgGraph with Policy.Read.All scope, then run Get-MgIdentityConditionalAccessPolicy and inspect each policy's Conditions.Users.ExcludeGroups and ExcludeUsers arrays. Expand group memberships recursively to get the full set of excluded principals. For each excluded account, verify it has a documented justification and review date -- exclusions without documentation are a common audit finding. Service accounts should use workload identity federation or managed identities rather than password-based exclusions where possible; shared mailboxes should be converted to resource mailboxes that block interactive sign-in (Set-MsolUser -BlockCredential $true) rather than being excluded from CA policies. Schedule a quarterly review of all excluded principals and remove any that no longer require the exclusion.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
