Conditional Access Policy Best Practices: A Practical Guide

Conditional access policies best practices help organizations adapt to changing trends where employees use the cloud, laptops and a range of other devices. Microsoft Entra ID allows the strict enforcement policies that protect against:

• Unauthorized access
• Data breaches

Remote work and diverse endpoints make conditional access policies a requirement for modern businesses.

Why Conditional Access Matters in Today’s Threat Landscape

Companies are diverse. Employees spread across offices must connect to interconnected spaces worldwide, whether from their home or at their desk. Enforcing conditional access (CA) goes beyond a simple:

• Username
• Password

Instead, CA goes beyond the basics (we’ll explain more below), by blocking legacy authentication. Multi-factor authentication (MFA) is one of the simplest solutions that reduces the risk of compromised accounts being leveraged to gain access to corporate systems.

But CA goes beyond these policies, even with the addition of hybrid-joined accounts and strict location access restrictions.

What Are the Basic Conditional Access Policies?

Strong security starts with your organization’s foundation. CA starts with two main, core principles:

Require MFA for All Users

Over 87% of companies with 10k or more employees use multi-factor authentication. Why? It’s the most effective way of reducing compromised account risks. For example, if a user tries to log in, a text is sent to their mobile phone.

Your company may also use an authentication app.

If the right code is put in on top of the person’s username and password, then they gain access to company resources. The risk of a hacker obtaining the person’s credentials and the extra code is very low.

Block Legacy Authentication

Outdated protocols pose a risk to your organization. Conditional access best practices require blocking all of these legacy authentications:

• POP
• IMAP
• ActiveSync

Why?

Brute-force and password spray attacks are possible due to the lack of MFA capabilities. Blocking these methods forces users to use modern, secure methods rather than older ones.

Require Compliant or Hybrid-Joined Devices

You can also take a dual approach to conditional access policies.

• Compliant devices. Managed by mobile device management with strict requirements for encryption, operating systems and versions.
• Hybrid. Policies that use both Active Directory and Microsoft Entra ID to guarantee access from only devices that your company trusts and manages.

Hybrid-joined devices can further be strengthened.

Limit Access to Trusted Locations

Conditional access best practices also integrate a must-access approach. For example, these policies can:

• Restrict access to trusted IP ranges
• Limit cloud app usage

If a user tries to log in from an untrusted location, you can then require them to use MFA. Integrating these complex security measures restricts access and protects your company in the process.

What Conditional Access Cannot Protect You From

CA is not a silver bullet for all security problems. You can use conditional access best practices in conjunction with other measures to limit these gaps.

Areas where CA falls short or is limited include:

• Internal threats. For example, if a user is signed in already and meets all CA requirements, other intrusion detection systems are necessary.
• Non-Microsoft Entra ID. CA policies cannot protect against user account access outside of this environment.

MFA does lower the risk of advanced credential harvesting and phishing, but there are still user risks. Attackers may trick users into giving them the multi-factor authentication code or a session cookie, which will bypass the protective measures you have in place.

Core Best Practices for Conditional Access Policies

We integrate CA for our clients, and some of the first measures we recommend are:

Start with a Zero-Trust Mindset

Architecture that trusts everyone is a recipe for disaster. Zero-trust is part of the best practice conditional access policies because everyone is denied by default.

Exceptions are added in for compliant scenarios and known, verified users only.

Combine Conditions for Granular Control

Conditional access policy best practices also add one or more scenarios to create targeted control. For example, MFA may be required in a scenario where:

• All users are accessing the platform
• Access to high-value financials is requested
• Users are connecting from outside of the corporate network

Granular controls allow for less disruption for users while maintaining security standards.

Use Report-Only Mode Before Enforcing

Never implement a new Conditional Access policy directly into On mode. Every new policy, especially those affecting a large number of users, should be deployed in Report-Only mode first.

Apply MFA and Device Compliance Together

The strongest conditional access best practices link who the user is and what they are using. Compliant devices and the introduction of MFA help limit your attack surface.

Prioritize Risk-Based Policies

Identity protection features in Microsoft Entra ID make it easy for you to follow best practice conditional access policies. For example, if a login comes in from a high user risk, it may be flagged and require a password change for flagged users.

Designing Conditional Access Based on Risk Levels

Use conditional access policy best practices to assign access based on risk level.

• High: Block access or require a password reset.
• Medium: Require MFA or a compliant device
• Low: Require MFA and block legacy authentication

Conditional Access for Remote and Hybrid Workforces

Flexible policies make sense for a flexible workforce. Follow these conditional access best practices:

• Make exemptions based on location. Define a location for your network and require a compliant device for all connections outside of this area.
• Set session controls for unmanaged devices if you must allow access from personal devices.

Monitoring and Auditing Conditional Access Policies

Continuous monitoring is a critical best practice for conditional access policies. Be sure to:

• Review sign-in logs regularly to see which policies are being applied and their outcomes.
• Use CA insights to understand the impact of your policies.
• Review policies every 6-12 months and remove those that aren’t relevant.

Common Mistakes When Implementing Conditional Access

Following the conditional access policy best practices helps you avoid errors such as:

• Not excluding emergency access accounts. At least two secure emergency access accounts should be excluded from all CA policies. These accounts are your only path to remediation if your policies lock out all administrators.
• Creating over-complicated policies. Keep it simple and focused. It’s better to have 10 simple policies than a single one that’s difficult to troubleshoot.

Summary: Building Effective and Balanced Conditional Access Policies

An effective CA strategy is built on the foundation of zero trust. Conditional access policy best practices start with basic controls like MFA for all and blocking legacy authentication. It then adds layers of risk-based controls and compliance checks to create a robust security posture.