Configuring Conditional Access Policies in Office 365

Conditional Access is the Zero Trust control plane that enables you to make intelligent access decisions for your Microsoft 365 environment. By evaluating signals like user identity, location, device health, and risk level, Conditional Access policies enforce the right access controls at the right time, protecting your organization's data while maintaining user productivity.

Overview

Conditional Access policies act as if-then statements: IF a user wants to access a resource, THEN they must complete an action (like MFA) or meet certain requirements (like using a compliant device). This guide covers configuring policies for common security scenarios including MFA enforcement, device compliance, location-based restrictions, and application protection.

Modern organizations face sophisticated threats that require more than simple username and password authentication. Conditional Access provides granular control over how and when users can access your Microsoft 365 resources, significantly reducing the risk of unauthorized access and data breaches.

Prerequisites

Before configuring Conditional Access policies, ensure you have:

Licensing Requirements:

• Azure AD Premium P1 (minimum) - Included with Microsoft 365 E3, Microsoft 365 Business Premium
• Azure AD Premium P2 (recommended) - Included with Microsoft 365 E5, adds risk-based policies
• Microsoft Intune - For device compliance policies (included with Microsoft 365 E3/E5)

Administrative Access:

• Global Administrator, Security Administrator, or Conditional Access Administrator role
• Access to Azure AD admin center (portal.azure.com or entra.microsoft.com)

Technical Prerequisites:

• Users enrolled in Azure AD Multi-Factor Authentication (MFA)
• Devices registered or joined to Azure AD (for device-based policies)
• Microsoft Intune device compliance policies configured (for compliance-based policies)
• Understanding of your organization's security requirements and user workflows

Recommended Preparation:

• Identify pilot user group for testing (5-10 users)
• Document current authentication methods and access patterns
• Create emergency access ("break glass") accounts and exclude from policies
• Review Microsoft's recommended baseline policies

Understanding Conditional Access Components

Assignment Components

Users and Groups:

• Include/exclude specific users, groups, directory roles, or guest users
• Always exclude emergency access accounts

Cloud Apps or Actions:

• Target specific applications (Exchange Online, SharePoint, Teams)
• Apply to all cloud apps or specific services
• Include user actions like registering security info

Conditions:

• Sign-in risk: Low, medium, or high (requires Azure AD Premium P2)
• Device platforms: Windows, macOS, iOS, Android, Linux
• Locations: Trusted locations, specific countries, or IP ranges
• Client apps: Browser, mobile apps, desktop clients
• Device state: Compliant, hybrid Azure AD joined

Access Controls

Grant Controls:

• Block access
• Grant access with requirements: MFA, compliant device, approved app, terms of use

Session Controls:

• App-enforced restrictions
• Conditional Access App Control
• Sign-in frequency
• Persistent browser session

Method 1: Configuring Conditional Access via Azure Portal

Step 1: Access Conditional Access Policies

1. Navigate to the Azure portal: https://portal.azure.com
2. Sign in with Global Administrator or Conditional Access Administrator credentials
3. Search for "Azure Active Directory" or "Microsoft Entra ID"
4. In the left navigation, select Security → Conditional Access
5. Review the Overview page for existing policies and policy insights

Alternative Access Point:

• Microsoft Entra admin center: https://entra.microsoft.com
• Navigate to Protection → Conditional Access → Policies

Step 2: Create a Require MFA Policy for All Users

This fundamental policy requires all users to perform MFA when signing in.

1. Click + New policy in the Conditional Access blade
2. Name your policy: "CA001 - Require MFA for All Users"

Configure Assignments:

3. Under Users, click 0 users and groups selected

   • Select All users
   • Under Exclude, select Users and groups
   • Check your emergency access accounts (e.g., [email protected])

4. Under Target resources, click No target resources selected

   • Select All cloud apps
   • This applies the policy to all Microsoft 365 services

5. Conditions - Leave default (applies to all conditions) or configure:

   • Click 0 conditions selected to review available conditions
   • For this basic policy, leave conditions at default

Configure Access Controls:

6. Under Grant, click 0 controls selected

   • Select Grant access
   • Check Require multifactor authentication
   • Leave Require all the selected controls selected
   • Click Select

7. Under Session, leave default for this policy

Enable the Policy:

8. At the bottom, under Enable policy:

   • Select Report-only mode first (recommended for testing)
   • Click Create

9. Monitor the policy in Report-only mode for 24-48 hours:

   • Navigate to Azure AD → Sign-in logs
   • Filter by Conditional Access status
   • Review What If tool results

10. Once validated, edit the policy:

    • Change Enable policy to On
    • Click Save

Step 3: Create a Device Compliance Policy

Require users to access resources only from compliant devices.

1. Click + New policy
2. Name: "CA002 - Require Compliant Device for Sensitive Apps"

Configure Assignments:

3. Under Users:

   • Select specific groups (e.g., "Finance Team", "Executive Team")
   • Exclude emergency access accounts

4. Under Target resources:

   • Select Select apps
   • Choose applications requiring device compliance:
     • Office 365 Exchange Online
     • Office 365 SharePoint Online
     • Microsoft Teams
   • Click Select

5. Under Conditions:

   • Device platforms: Select Any device or specific platforms
   • Locations: Select Any location

Configure Access Controls:

6. Under Grant, click 0 controls selected

   • Select Grant access
   • Check Require device to be marked as compliant
   • Check Require multifactor authentication
   • Select Require all the selected controls
   • Click Select

7. Enable policy: Set to Report-only, then Create

8. Test with pilot users, then enable

Step 4: Create a Location-Based Policy

Block access from untrusted locations or require additional verification.

1. First, define named locations:

   • In Conditional Access, click Named locations
   • Click + IP ranges location
   • Name: "Corporate Office Network"
   • Add IP ranges (e.g., 203.0.113.0/24)
   • Mark as Trusted location
   • Click Create

2. Click + New policy

3. Name: "CA003 - Block Access from Untrusted Locations"

Configure Assignments:

4. Under Users:

   • Select All users
   • Exclude emergency access accounts and service accounts

5. Under Target resources:

   • Select All cloud apps

6. Under Conditions → Locations:

   • Configure: Yes
   • Include: Any location
   • Exclude: Select your named locations (e.g., "Corporate Office Network")

Configure Access Controls:

7. Under Grant:

   • Select Block access
   • Click Select

   Alternative (less restrictive): Instead of blocking, require MFA:

   • Select Grant access
   • Check Require multifactor authentication
   • Check Require compliant device
   • Select Require one of the selected controls

8. Enable policy: Set to Report-only, test, then enable

Step 5: Create an App Protection Policy (MAM)

Require approved client apps with app protection policies for mobile access.

1. Click + New policy
2. Name: "CA004 - Require Approved Apps for Mobile Access"

Configure Assignments:

3. Under Users:

   • Select All users or specific groups
   • Exclude emergency access accounts

4. Under Target resources:

   • Select Select apps
   • Choose: Office 365 Exchange Online, Office 365 SharePoint Online
   • Click Select

5. Under Conditions → Device platforms:

   • Configure: Yes
   • Select: iOS and Android

6. Under Conditions → Client apps:

   • Configure: Yes
   • Select: Mobile apps and desktop clients

Configure Access Controls:

7. Under Grant:

   • Select Grant access
   • Check Require approved client app
   • Check Require app protection policy (requires Azure AD Premium P1)
   • Select Require one of the selected controls
   • Click Select

8. Enable policy: Set to Report-only, test, then enable

Approved Apps Include:

• Microsoft Outlook (iOS/Android)
• Microsoft Edge (iOS/Android)
• Microsoft Teams
• OneDrive
• SharePoint

Method 2: Configuring Conditional Access via PowerShell

PowerShell enables automation and bulk policy management using Microsoft Graph PowerShell.

Prerequisites for PowerShell

# Install Microsoft Graph PowerShell modules
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -Force

# Import required modules
Import-Module Microsoft.Graph.Identity.SignIns
Import-Module Microsoft.Graph.Beta.Identity.SignIns

# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Policy.Read.All", "Directory.Read.All"

Step 1: List Existing Conditional Access Policies

# Get all Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, Id

# Get detailed information for a specific policy
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "policy-id-here" | Format-List

# Export all policies to JSON for backup
Get-MgIdentityConditionalAccessPolicy | ConvertTo-Json -Depth 10 | Out-File "CA-Policies-Backup.json"

Step 2: Create a Require MFA Policy via PowerShell

# Define parameters for the policy
$params = @{
    DisplayName = "CA001 - Require MFA for All Users"
    State = "enabledForReportingButNotEnforced" # Report-only mode
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeUsers = @("All")
            ExcludeUsers = @(
                "[email protected]" # Replace with your emergency account ID or UPN
            )
        }
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("mfa")
    }
}

# Create the policy
New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step 3: Create a Device Compliance Policy via PowerShell

# Get application IDs for Office 365 services
$exchangeOnlineAppId = "00000002-0000-0ff1-ce00-000000000000"
$sharepointOnlineAppId = "00000003-0000-0ff1-ce00-000000000000"
$teamsAppId = "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe"

# Get group ID for target users
$targetGroup = Get-MgGroup -Filter "displayName eq 'Finance Team'"

$params = @{
    DisplayName = "CA002 - Require Compliant Device for Sensitive Apps"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @($exchangeOnlineAppId, $sharepointOnlineAppId, $teamsAppId)
        }
        Users = @{
            IncludeGroups = @($targetGroup.Id)
            ExcludeUsers = @("[email protected]")
        }
    }
    GrantControls = @{
        Operator = "AND" # Require both MFA AND compliant device
        BuiltInControls = @("mfa", "compliantDevice")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step 4: Create a Location-Based Policy via PowerShell

# First, create a named location
$locationParams = @{
    "@odata.type" = "#microsoft.graph.ipNamedLocation"
    DisplayName = "Corporate Office Network"
    IsTrusted = $true
    IpRanges = @(
        @{
            "@odata.type" = "#microsoft.graph.iPv4CidrRange"
            CidrAddress = "203.0.113.0/24"
        }
    )
}

$namedLocation = New-MgIdentityConditionalAccessNamedLocation -BodyParameter $locationParams

# Create policy that requires MFA from non-trusted locations
$params = @{
    DisplayName = "CA003 - Require MFA from Untrusted Locations"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeUsers = @("All")
            ExcludeUsers = @("[email protected]")
        }
        Locations = @{
            IncludeLocations = @("All")
            ExcludeLocations = @($namedLocation.Id)
        }
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("mfa")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step 5: Update Policy from Report-Only to Enabled

# Get the policy
$policy = Get-MgIdentityConditionalAccessPolicy -Filter "displayName eq 'CA001 - Require MFA for All Users'"

# Update to enabled state
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.Id -State "enabled"

# Verify the change
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.Id | Select-Object DisplayName, State

Step 6: Bulk Policy Management

# Export all policies for documentation
$policies = Get-MgIdentityConditionalAccessPolicy
$policies | ForEach-Object {
    $fileName = "$($_.DisplayName -replace '[\\/:*?"<>|]', '_').json"
    $_ | ConvertTo-Json -Depth 10 | Out-File "Policies\$fileName"
}

# Disable all policies (use with caution!)
Get-MgIdentityConditionalAccessPolicy | Where-Object { $_.State -eq "enabled" } | ForEach-Object {
    Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $_.Id -State "disabled"
}

# Enable all report-only policies
Get-MgIdentityConditionalAccessPolicy | Where-Object { $_.State -eq "enabledForReportingButNotEnforced" } | ForEach-Object {
    Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $_.Id -State "enabled"
    Write-Host "Enabled: $($_.DisplayName)"
}

Method 3: Using Policy Templates

Microsoft provides baseline security policy templates to jumpstart your deployment.

Step 1: Access Security Defaults (Basic Protection)

For small organizations without Azure AD Premium:

1. Navigate to Azure AD → Properties
2. Click Manage security defaults
3. Set Enable security defaults to Yes
4. Click Save

Security Defaults provide:

• Require all users to register for MFA
• Require MFA for administrators
• Block legacy authentication
• Protect privileged activities

Limitations:

• Cannot be customized
• Conflicts with Conditional Access policies
• All-or-nothing approach

Step 2: Deploy Microsoft's Baseline Policies

For organizations with Azure AD Premium:

1. Navigate to Conditional Access → Policies

2. Click + New policy from template

3. Browse available templates:

   • Require MFA for admins
   • Require MFA for Azure management
   • Block legacy authentication
   • Require MFA for all users
   • Require compliant devices

4. Select a template (e.g., "Require MFA for admins")

5. Review the pre-configured settings:

   • Users: Directory roles (Global Admin, Security Admin, etc.)
   • Apps: All cloud apps
   • Grant: Require MFA

6. Customize if needed:

   • Exclude emergency access accounts
   • Adjust target applications

7. Set to Report-only mode

8. Click Create

Step 3: Identity Protection Risk-Based Policies (Azure AD Premium P2)

Configure automated responses to detected risks:

1. Navigate to Azure AD → Security → Identity Protection
2. Click Sign-in risk policy

Configure Sign-in Risk Policy:

3. Users: All users (exclude emergency accounts)
4. Conditions → Sign-in risk: Medium and high
5. Controls → Access: Allow access, Require MFA
6. Enforce Policy: On

Configure User Risk Policy:

7. Click User risk policy
8. Users: All users (exclude emergency accounts)
9. Conditions → User risk: High
10. Controls → Access: Allow access, Require password change
11. Enforce Policy: On

Benefits:

• Automatic MFA challenge for risky sign-ins
• Password reset requirement for compromised accounts
• Continuous risk assessment using machine learning

Common Policy Templates for Organizations

Template 1: Basic Security Baseline (All Organizations)

Policy Set: Basic Security Baseline
Target: All users
Licensing: Azure AD Premium P1

Policies:
1. CA001 - Require MFA for All Users
2. CA002 - Block Legacy Authentication
3. CA003 - Require MFA for Azure Management
4. CA004 - Require MFA for Admins (Always)

Template 2: Enhanced Security (Regulated Industries)

Policy Set: Enhanced Security
Target: All users
Licensing: Azure AD Premium P2

Policies:
1-4: All Basic Security Baseline policies
5. CA005 - Require Compliant Device for Email
6. CA006 - Block Access from Untrusted Locations
7. CA007 - Sign-in Risk-Based MFA
8. CA008 - User Risk-Based Password Change
9. CA009 - Require Approved Apps for Mobile

Template 3: Zero Trust Architecture

Policy Set: Zero Trust
Target: All users
Licensing: Azure AD Premium P2 + Intune

Policies:
1-9: All Enhanced Security policies
10. CA010 - Require Hybrid Azure AD Join for Windows
11. CA011 - App Protection Policy for Mobile
12. CA012 - Session Controls for Unmanaged Devices
13. CA013 - Block Downloads on Unmanaged Devices
14. CA014 - Terms of Use for External Users

Best Practices

Policy Design Principles

1. Start with Report-Only Mode

• Always create policies in report-only mode
• Monitor for 24-48 hours minimum
• Review sign-in logs for unintended impacts
• Use the What If tool to simulate policy effects

2. Exclude Emergency Access Accounts

• Create 2-3 "break glass" accounts
• Store credentials in a secure physical location
• Exclude from ALL Conditional Access policies
• Monitor for any use (should be rare)

3. Use a Phased Rollout

• Phase 1: Pilot group (5-10 users, IT staff)
• Phase 2: Early adopters (25-50 users, various departments)
• Phase 3: Broad deployment (all users)
• Allow 1-2 weeks per phase

4. Layer Policies Instead of Single Complex Policy

• Create focused, single-purpose policies
• Easier to troubleshoot and maintain
• Better visibility in sign-in logs
• Example: Separate MFA policy from device compliance policy

5. Name Policies Consistently

• Use prefix: CA001, CA002, CA003
• Include purpose: "Require MFA for All Users"
• Sort policies by number for logical ordering

Security Recommendations

Block Legacy Authentication

$params = @{
    DisplayName = "CA002 - Block Legacy Authentication"
    State = "enabled"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeUsers = @("All")
            ExcludeUsers = @("[email protected]")
        }
        ClientAppTypes = @("exchangeActiveSync", "other") # Legacy protocols
    }
    GrantControls = @{
        BuiltInControls = @("block")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Require MFA for Azure Management

Apps: Microsoft Azure Management (797f4846-ba00-4fd7-ba43-dac1f8f63013)
Users: All users
Grant: Require MFA

Session Controls for Unmanaged Devices

Conditions: Device state - Not compliant
Grant: Allow access
Session: Use app enforced restrictions, Sign-in frequency (1 hour)

Monitoring and Maintenance

Regular Review Tasks:

1. Weekly:

   • Review sign-in logs for blocked access
   • Check for users reporting access issues
   • Monitor policy insights dashboard

2. Monthly:

   • Review policy effectiveness metrics
   • Analyze What If tool results for new scenarios
   • Update named locations if IP ranges change

3. Quarterly:

   • Audit all policies for continued relevance
   • Review emergency access account exclusions
   • Test emergency access accounts
   • Update documentation

Key Metrics to Monitor:

• Number of successful vs. blocked sign-ins
• MFA success rate
• Device compliance rate
• Sign-in risk detections
• Policies triggered per user

Access Monitoring Locations:

• Azure AD → Sign-in logs
• Azure AD → Conditional Access → Insights and reporting
• Microsoft 365 Defender → Reports → Identity

Troubleshooting

Issue 1: Users Cannot Access Applications

Symptoms:

• Error: "You cannot access this right now"
• Error: "Your sign-in was blocked"

Diagnosis:

1. Check sign-in logs:

   • Navigate to Azure AD → Sign-in logs
   • Find the user's failed sign-in attempt
   • Click on the event → Conditional Access tab
   • Review which policy blocked access

2. Use What If tool:

   • Navigate to Conditional Access → What If
   • User: Select the affected user
   • Cloud app: Select the app they're trying to access
   • Click What If
   • Review which policies would apply

Solutions:

• If MFA is required but user not registered:

  • Guide user to https://aka.ms/mfasetup
  • Or temporarily add to exclusion group

• If compliant device required but device not compliant:

  • Check device compliance in Intune
  • Remediate compliance issues
  • Or adjust policy to require MFA instead

• If location-based policy blocking:

  • Verify user's actual location
  • Add legitimate IP to named locations
  • Or require MFA instead of blocking

Issue 2: Policy Not Applying as Expected

Symptoms:

• Policy shows as applied in logs but control not enforced
• Users not prompted for MFA when expected

Diagnosis:

# Check policy configuration
$policy = Get-MgIdentityConditionalAccessPolicy -Filter "displayName eq 'Policy Name'"
$policy | ConvertTo-Json -Depth 10

# Verify policy state
$policy.State # Should be "enabled"

# Check conditions
$policy.Conditions

Common Causes:

1. Policy in Report-only mode:

   • Solution: Change state to "enabled"

2. User excluded via group membership:

   • Check exclusion groups
   • Verify user's group memberships

3. Other policy granting access:

   • Policies are evaluated collectively
   • A grant policy can override a block
   • Review all applicable policies

4. Policy precedence issue:

   • Policies don't have explicit precedence
   • All applicable policies must be satisfied
   • Use What If tool to see all applicable policies

Issue 3: Emergency Access Account Locked Out

Symptoms:

• Cannot sign in with break glass account
• MFA or device compliance required

Prevention:

1. Create dedicated accounts:

# Exclude from ALL policies by user ID
$breakglassUser = Get-MgUser -Filter "userPrincipalName eq '[email protected]'"

# Check all policies for exclusion
Get-MgIdentityConditionalAccessPolicy | ForEach-Object {
    if ($_.Conditions.Users.ExcludeUsers -notcontains $breakglassUser.Id) {
        Write-Warning "$($_.DisplayName) does NOT exclude break glass account"
    }
}

2. Regular testing:
   • Test emergency accounts quarterly
   • Verify exclusions after creating new policies
   • Document emergency access procedures

Recovery (if already locked out):

1. Contact Microsoft Support immediately
2. Disable Conditional Access via PowerShell (requires another admin):

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
Get-MgIdentityConditionalAccessPolicy | Update-MgIdentityConditionalAccessPolicy -State "disabled"

3. Once accessed, re-enable policies with proper exclusions

Issue 4: PowerShell Commands Failing

Symptoms:

• "Insufficient privileges to complete the operation"
• "Resource not found"

Solutions:

# Reconnect with correct scopes
Disconnect-MgGraph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Policy.Read.All", "Directory.Read.All", "Application.Read.All"

# Verify connection
Get-MgContext | Select-Object Scopes, Account, AppName

# Update Microsoft Graph module
Update-Module Microsoft.Graph -Force
Update-Module Microsoft.Graph.Beta -Force

Issue 5: Mobile Users Cannot Access Email

Symptoms:

• Error on mobile devices: "Can't add account"
• Outlook mobile prompts for authentication repeatedly

Diagnosis:

Check if policy requires approved app or app protection:

1. Review applicable policies for Exchange Online
2. Check if "Require approved client app" is enabled
3. Verify app protection policy is assigned

Solutions:

1. Ensure users have Outlook mobile app:

   • Download from App Store (iOS) or Play Store (Android)
   • Not the built-in Mail app

2. Verify app protection policy:

   • Navigate to Intune → Apps → App protection policies
   • Check policy assignment to user groups
   • Verify policy settings allow access

3. Alternative policy for legacy apps:

# Allow basic authentication for legacy apps (NOT recommended)
$params = @{
    DisplayName = "CA-Exception - Allow Legacy Auth for Service Accounts"
    State = "enabled"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("00000002-0000-0ff1-ce00-000000000000") # Exchange
        }
        Users = @{
            IncludeGroups = @("service-accounts-group-id")
        }
        ClientAppTypes = @("exchangeActiveSync")
    }
    GrantControls = @{
        BuiltInControls = @("mfa")
    }
}

Advanced Configuration

Sign-in Frequency Control

Force users to re-authenticate after specified time:

$params = @{
    DisplayName = "CA015 - Require Re-auth Every 4 Hours for Finance App"
    State = "enabled"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("your-app-id")
        }
        Users = @{
            IncludeGroups = @("finance-team-group-id")
        }
    }
    GrantControls = @{
        BuiltInControls = @("mfa")
    }
    SessionControls = @{
        SignInFrequency = @{
            Value = 4
            Type = "hours"
            IsEnabled = $true
        }
    }
}

Continuous Access Evaluation (CAE)

Enable real-time enforcement of policy changes:

• Automatically enabled for supported applications
• Enforces IP location changes immediately
• Revokes access when user is disabled/deleted
• Supported apps: Exchange Online, SharePoint, Teams, Microsoft Graph

No configuration required - works automatically with Conditional Access policies

Authentication Context

Tag specific data or actions for additional protection:

1. Create authentication context:

   • Navigate to Conditional Access → Authentication context
   • Click New authentication context
   • ID: C1, Display name: "Sensitive data access"

2. Apply to SharePoint site:

   • Use Microsoft 365 compliance center
   • Apply sensitivity label requiring C1 context

3. Create policy for authentication context:

$params = @{
    DisplayName = "CA016 - Require Compliant Device for Sensitive Data"
    State = "enabled"
    Conditions = @{
        Applications = @{
            IncludeAuthenticationContextClassReferences = @("c1")
        }
        Users = @{
            IncludeUsers = @("All")
        }
    }
    GrantControls = @{
        BuiltInControls = @("compliantDevice")
    }
}

Next Steps and Related Resources

Recommended Implementation Order

1. Week 1-2: Foundation

   • Enable MFA for all admins
   • Block legacy authentication
   • Create emergency access accounts

2. Week 3-4: User MFA

   • Deploy MFA for all users (report-only)
   • Monitor and address user issues
   • Enable MFA policy

3. Week 5-6: Device Management

   • Configure Intune device compliance
   • Create device compliance policies (report-only)
   • Enable device compliance policies

4. Week 7-8: Advanced Controls

   • Configure named locations
   • Implement location-based policies
   • Configure app protection policies

5. Week 9+: Risk-Based Policies (if P2 licensed)

   • Enable Identity Protection
   • Configure sign-in risk policies
   • Configure user risk policies

Related Microsoft 365 Security Features

• Microsoft Defender for Cloud Apps: Session controls and app governance
• Azure AD Identity Protection: Risk-based policies and user risk detection
• Microsoft Intune: Device compliance and app protection policies
• Azure AD Privileged Identity Management: Just-in-time admin access
• Microsoft 365 Defender: Unified security dashboard

Additional Resources

Microsoft Documentation:

• Conditional Access documentation
• Common Conditional Access policies
• Conditional Access What If tool

PowerShell References:

• Microsoft Graph PowerShell SDK
• Conditional Access Graph API

Security Frameworks:

• Zero Trust security model
• NIST Cybersecurity Framework
• CIS Microsoft 365 Foundations Benchmark

Training Resources:

• Microsoft Learn: Secure access with Azure AD Conditional Access
• Microsoft Learn: Implement and manage identity and access

Professional Assistance

Configuring Conditional Access policies requires careful planning to balance security and usability. If you need assistance with:

• Policy design and architecture
• Zero Trust implementation
• Compliance requirements (HIPAA, PCI-DSS, CMMC)
• Azure AD Premium deployment

Contact InventiveHQ for expert Microsoft 365 security consulting and implementation services. Our team can help you design, deploy, and maintain Conditional Access policies tailored to your organization's specific security requirements and compliance needs.