Conditional Access is Microsoft's policy engine for enforcing access controls in Entra ID. Every access request — signing into Outlook, opening SharePoint, connecting via VPN — is evaluated against Conditional Access policies before access is granted. Without policies, access is governed only by username and password (or whatever authentication is configured at the account level).
The Baseline Policies Every Business Should Have
Require MFA for All Users
A policy that requires MFA for all users accessing all cloud apps is the foundational Conditional Access control. Combined with blocking legacy authentication (a separate policy), this closes the most common credential attack paths.
Block Legacy Authentication
A policy blocking all legacy authentication protocols — ensuring only modern auth flows that support MFA can connect. This is a prerequisite for MFA enforcement to be effective across the entire tenancy.
Require Compliant Device for Sensitive Data
A policy requiring that devices accessing sensitive data (M365 data, specific SharePoint sites, financial applications) are enrolled in Intune and meet compliance requirements. This prevents access from unmanaged personal devices or attacker-controlled machines.
Block High-Risk Sign-Ins
Using Entra ID Protection risk signals, block or challenge sign-ins flagged as high-risk — impossible travel, anonymous IP addresses, credentials appearing in known breach databases.
Common Configuration Mistakes
Excluding too many users or applications — service accounts, emergency access accounts, legacy integrations — creates policy gaps. Not testing policies in report-only mode before enforcement breaks legitimate workflows. Failing to configure a break-glass emergency access account that is excluded from Conditional Access policies (but monitored for any use).
