Entra ID Conditional Access: Deploy Without Locking Anyone Out

Create these before touching any CA policy.

Break-glass account setup:

1. Create two cloud-only accounts:
   - emergency-access-01@yourtenant.onmicrosoft.com
   - emergency-access-02@yourtenant.onmicrosoft.com

2. Generate 40-character random passwords for each.
   Store passwords in a physical safe or sealed envelope.
   Do NOT store in a password manager (that's what you're protecting against).

3. Assign Global Administrator permanently (not via PIM).

4. Exclude both accounts from ALL Conditional Access policies.
   Create a group: sg-ca-emergency-exclusion
   Add both break-glass accounts.

5. Create an alert:
   Entra ID > Monitoring > Diagnostic settings >
   Sign-in logs > Alert on any sign-in from these accounts.
   Page your whole security team when it fires.

Exclusion group governance: Create one exclusion group per policy, not one master exclusion group. Name them sg-ca-exclude-[policy-name]. Document every member with: account purpose, justification for exclusion, ticket number, review date. Review quarterly -- unused exclusions become backdoors.

Legacy auth is responsible for the majority of password spray and credential stuffing attacks. It cannot prompt for MFA, so blocking it is the single highest-ROI CA policy.

Policy settings:

Name: CA001 - Block Legacy Authentication
State: Report-only (NOT On)

Assignments:
  Users: All users
  Exclude: sg-ca-emergency-exclusion
  Cloud apps: All cloud apps
  Conditions:
    Client apps: Select
      ✓ Exchange ActiveSync clients
      ✓ Other clients
      (Do NOT check Browser or Mobile apps/desktop clients)

Access controls:
  Grant: Block access

How to read report-only results: Entra ID > Sign-in logs > Add filter: Conditional Access = Report-only: Failure

For each result, check:

• User: Is this a real person or a service account?
• Client app: What protocol? (IMAP, SMTP, POP3, legacy ExchangeActiveSync)
• Application: Which app is connecting?

If you find legitimate use (e.g., a printer using SMTP to send scans), migrate it to modern auth or add to the exclusion group with a documented justification. After 2 weeks with no unexplained failures, flip to On.

Policy settings:

Name: CA002 - Require MFA for All Users
State: Report-only initially

Assignments:
  Users: All users
  Exclude:
    - sg-ca-emergency-exclusion
    - sg-ca-exclude-mfa-legacy-services (for any service accounts
      that cannot use modern auth and aren't yet migrated)
  Cloud apps: All cloud apps
  Conditions: None (applies to all sign-ins)

Access controls:
  Grant: Require multifactor authentication

MFA registration campaign (run before enforcement): Entra ID > Protection > Authentication methods > Registration campaign

• Enable: Yes
• Days allowed to snooze: 7 (gives users a week to register before enforcement)
• Target: All users

Run the registration campaign for 2 weeks in parallel with report-only mode. Check registration status:

Entra ID > Users > Per-user MFA
Filter by: MFA Status = Disabled

Any user still unregistered after 2 weeks needs direct outreach before enforcement. Do NOT enforce while significant users are unregistered.

Enforcement day process:

1. Email all users 48 hours before: "MFA will be required starting [DATE]"
2. Have IT helpdesk on elevated staffing for 2 days post-enforcement
3. Flip policy from Report-only to On during low-traffic hours (early morning, not Friday)
4. Monitor sign-in logs for the next 4 hours; be ready to disable if unexpected widespread failure

Apply this only after MFA is fully enforced. Scoping to specific apps reduces blast radius if Intune enrollment is incomplete.

Identify target apps first: High-sensitivity applications to protect with device compliance:

• Azure portal / Entra admin center
• Microsoft 365 admin center
• Your ERP or financial system (if federated)
• Source code repositories (GitHub Enterprise via SAML, Azure DevOps)
• HR systems

Policy settings:

Name: CA003 - Require Compliant Device for Sensitive Apps
State: Report-only initially

Assignments:
  Users: All users (or start with pilot group of 20)
  Exclude: sg-ca-emergency-exclusion
  Cloud apps: Select specific apps (Azure Management, M365 Admin)
  Conditions: None

Access controls:
  Grant: Require device to be marked as compliant
  (Do NOT use 'Require Hybrid Azure AD joined device' unless
  you have on-premises AD DS -- that's a different, harder path)

Intune enrollment prerequisite check: Before enforcing, confirm:

Intune > Devices > Enrollment > Windows enrollment
- Auto-enrollment is configured for your tenant
- Compliance policies exist and are assigned
- Corporate devices are showing as 'Compliant'

Report-only this policy for 3 weeks. Look for any corporate-owned devices showing as non-compliant in the sign-in logs. Fix compliance policy gaps before enforcing.

This requires Entra ID P2 (included in Microsoft 365 E5 or as an add-on).

Policy settings:

Name: CA004 - Respond to Risky Sign-ins
State: Report-only initially

Assignments:
  Users: All users
  Exclude: sg-ca-emergency-exclusion
  Cloud apps: All cloud apps
  Conditions:
    Sign-in risk: High, Medium
    (Start with just High; add Medium after a week of observation)

Access controls:
  Grant: Require multifactor authentication
  (For High risk only: consider Block access instead of MFA --
  a compromised account may be able to complete MFA if the attacker
  has the phone. Discuss with your team.)

What 'High risk' means: Entra ID's machine learning has high confidence the sign-in is from a threat actor -- impossible travel, leaked credentials found on darkweb, known malicious IP.

What 'Medium risk' means: Anomalous sign-in patterns, unfamiliar location, sign-in from anonymizing proxy.

For most orgs: block High risk, require MFA for Medium risk. Review flagged sign-ins weekly in Entra ID > Protection > Risky sign-ins to calibrate.

This should actually be your first enforced policy, not your last. Admin accounts are the highest-value target. Unlike regular user MFA, this cannot wait.

Policy settings:

Name: CA000 - Require MFA for Administrators
State: On (enforce immediately, no report-only phase)

Assignments:
  Users > Directory roles: Select all privileged roles:
    - Global Administrator
    - Privileged Role Administrator
    - Security Administrator
    - Exchange Administrator
    - SharePoint Administrator
    - Conditional Access Administrator
    - Helpdesk Administrator
    - User Administrator
    - Application Administrator
    - Cloud Application Administrator
  Exclude: sg-ca-emergency-exclusion
  Cloud apps: All cloud apps

Access controls:
  Grant: Require multifactor authentication
  Session: Sign-in frequency: 1 hour (for admins, re-auth frequently)

Notify all admins before enabling. Admins who haven't registered for MFA will be locked out immediately. Run an MFA registration check for all admin-role holders first:

Entra ID > Roles and administrators > Global Administrator
> [list all members] > Check each account's MFA status

Exclusion groups are the most commonly abused CA control. A well-intentioned exception for a service account becomes a permanent backdoor when the account is repurposed or the developer leaves.

Exclusion governance rules:

Quarterly exclusion audit query (Microsoft Graph):

# List all members of all CA exclusion groups
Get-MgGroup -Filter "displayName startsWith 'sg-ca-exclude'" | 
  ForEach-Object {
    $group = $_
    Get-MgGroupMember -GroupId $group.Id | 
      Select-Object @{N='Group';E={$group.DisplayName}}, 
        @{N='Member';E={$_.AdditionalProperties.displayName}},
        @{N='Type';E={$_.AdditionalProperties.'@odata.type'}}
  } | Export-Csv ca-exclusions-audit.csv

Review this CSV with each member's ticket and justification. Remove any member whose justification no longer applies.

Before flipping any policy from report-only to On:

• Break-glass accounts exist, passwords stored offline, excluded from all CA policies
• Alerts configured for break-glass account sign-in
• Report-only mode has run for the full observation window (2 weeks minimum)
• All report-only failures reviewed and categorized: legitimate vs. will-block-on-enforce
• All legitimate use cases added to exclusion groups with documented justification
• MFA registration rate is above 95% for affected users
• IT helpdesk notified and on elevated staffing for go-live + 48 hours
• User communication sent 48 hours before enforcement
• Enforcement scheduled during low-traffic window (not Friday, not month-end)
• Rollback plan documented: who approves disabling the policy if widespread failure occurs
• Sign-in log monitoring active for 4 hours post-enforcement

Rollback procedure: If enforcement causes unexpected widespread lockout:

Entra ID > Security > Conditional Access > Policies
> [policy name] > State: Report-only

This immediately stops enforcement. Do NOT delete the policy -- you'll lose the configuration.