Entra ID Conditional Access — Beginner to Advanced

What is Conditional Access?

Conditional Access (CA) is an if-then policy engine: IF a user tries to access a resource under certain conditions, THEN require them to do something (MFA, use a compliant device, come from a trusted location) — or block access entirely.

Think of it as a smart firewall for identity. Rather than IP-based rules, it evaluates signals like user risk, device compliance, application sensitivity, and location.

Essential Policy 1: Require MFA for All Users

This is the single most impactful security control you can enable. Every user, every app, every time — unless they're on a compliant Intune-managed device.

1. Entra ID → Security → Conditional Access → New Policy
2. Name: 'Require MFA — All Users All Apps'
3. Users: All users (exclude break-glass admin accounts)
4. Cloud apps: All cloud apps
5. Conditions: none (apply everywhere)
6. Grant: Require multi-factor authentication
7. Enable policy: On

Essential Policy 2: Block Legacy Authentication

Legacy authentication protocols (SMTP, POP3, IMAP) cannot support MFA and are responsible for over 99% of password spray attacks. Block them entirely.

1. New Policy: 'Block Legacy Authentication'
2. Users: All users
3. Cloud apps: All cloud apps
4. Conditions → Client apps: Exchange ActiveSync clients + Other clients (tick both)
5. Grant: Block access
6. Enable: On

Advanced: Require Compliant Device

Once devices are enrolled in Intune with compliance policies, you can require them to be compliant before accessing sensitive apps — adding a device trust layer on top of MFA.

1. Create an Intune compliance policy with your requirements (encryption, AV enabled, OS version)
2. New CA Policy: 'Require Compliant Device — Microsoft 365'
3. Users: All users
4. Cloud apps: Office 365
5. Grant: Require device to be marked as compliant OR Require Azure AD hybrid joined (for on-prem joined devices)
6. Enable in Report-only mode first, review the impact, then switch to On