Overview

Zero Trust is a security model that assumes breach and verifies every request. Microsoft Entra ID Conditional Access is the Zero Trust policy engine that evaluates signals and enforces access decisions for every authentication attempt.

Who Should Use This Guide:

Security administrators implementing Zero Trust architecture
Identity engineers managing Entra ID
Compliance teams enforcing security policies
Organizations moving beyond perimeter-based security

Zero Trust Principles:

Principle	Implementation
Verify explicitly	Always authenticate and authorize based on all available data points
Use least privilege access	Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA)
Assume breach	Minimize blast radius and segment access; verify end-to-end encryption

Conditional Access Signal Evaluation:

┌─────────────────────────────────────────────────────────┐
│              Conditional Access Decision                 │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  SIGNALS                    DECISION       ENFORCEMENT  │
│  ┌────────────┐                                         │
│  │   User     │────┐                                    │
│  │  Identity  │    │        ┌──────────┐               │
│  └────────────┘    │        │          │               │
│  ┌────────────┐    │        │  Allow   │───▶ Access    │
│  │   Device   │────┼───────▶│    or    │    Granted   │
│  │   State    │    │        │  Block   │               │
│  └────────────┘    │        │    or    │               │
│  ┌────────────┐    │        │ Require  │───▶ MFA/      │
│  │  Location  │────┤        │  Grant   │   Compliant  │
│  │   (IP)     │    │        │ Controls │               │
│  └────────────┘    │        └──────────┘               │
│  ┌────────────┐    │                                   │
│  │   Risk     │────┘                                   │
│  │   Level    │                                        │
│  └────────────┘                                        │
│                                                         │
└─────────────────────────────────────────────────────────┘

Requirements

Licensing Requirements:

Feature	Required License
Basic Conditional Access	Entra ID P1
Risk-based policies	Entra ID P2
Continuous access evaluation	Entra ID P1/P2
Authentication context	Entra ID P1
Device compliance	Microsoft Intune

Planning Prerequisites:

Item	Description
Break-glass accounts	Emergency access accounts excluded from CA
Named locations	Define trusted network locations
Device compliance policies	Intune policies for device health
User groups	Define groups for phased rollout

Process

Step 1: Create Break-Glass Accounts

Before implementing Conditional Access, create emergency access accounts to prevent lockout.

Create Emergency Access Accounts:

Navigate to Entra admin center → Users → New user
Create two accounts:
- emergency-access-01@domain.com
- emergency-access-02@domain.com
Assign Global Administrator role
Use complex, unique passwords (store in secure vault)
Do NOT enable MFA on these accounts

Secure the Accounts:

Security Control	Implementation
Password complexity	24+ character randomly generated
Password storage	Physical safe or secure vault (split custody)
Monitoring	Alert on any sign-in activity
Regular testing	Monthly sign-in verification

Create Exclusion Group:

Navigate to Groups → New group
Create: CA-Exclude-BreakGlass
Add both emergency access accounts
Document this group - it will be excluded from all CA policies

Verification: Sign in with emergency account works without MFA or other restrictions.

Step 2: Configure Named Locations

Define trusted network locations to use in Conditional Access policies.

Navigate to: Entra admin center → Protection → Conditional Access → Named locations

Create Corporate Network Location:

Click + Countries location or + IP ranges location
For IP ranges:
- Name: Corporate-Offices
- Mark as trusted location: Yes
- IP ranges: Add corporate public IPs

Example IP Ranges:
203.0.113.0/24    (Main office)
198.51.100.0/24   (Branch office)
192.0.2.0/24      (Data center)

Create Country-Based Location:

Click + Countries location
Name: Allowed-Countries
Determine location by: IP address
Select countries where your organization operates

Mark Trusted Locations:

Location Type	Trust Setting	Use Case
Corporate offices	Trusted	Reduce MFA friction for on-site users
VPN egress IPs	Trusted	VPN users treated as internal
Partner networks	Not trusted	Always verify partner access
Countries	N/A	Geographic restrictions only

Step 3: Create Baseline Policies

Implement foundational Conditional Access policies following Microsoft best practices.

Policy 1: Require MFA for All Users

Navigate to: Conditional Access → Create new policy

Name: CA001-Require-MFA-AllUsers
State: Report-only (initially)
 
Users:
  Include: All users
  Exclude:
    - CA-Exclude-BreakGlass
    - Directory sync accounts
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  Client apps:
    - Browser
    - Mobile apps and desktop clients
 
Grant:
  Require authentication strength: Multifactor authentication

Policy 2: Block Legacy Authentication

Name: CA002-Block-LegacyAuth
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  Client apps:
    - Exchange ActiveSync clients
    - Other clients
 
Grant:
  Block access

Policy 3: Require Compliant Device for Office 365

Name: CA003-Require-CompliantDevice-O365
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: Office 365
 
Conditions:
  Device platforms:
    - Windows
    - iOS
    - Android
    - macOS
 
Grant:
  Require one of the following:
    - Require device to be marked as compliant
    - Require Hybrid Azure AD joined device

Policy 4: Block Access from Untrusted Locations

Name: CA004-Block-UntrustedCountries
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  Locations:
    Include: All locations
    Exclude: Allowed-Countries
 
Grant:
  Block access

Step 4: Implement Risk-Based Policies

Use Identity Protection risk signals to dynamically adjust access requirements.

Requires: Entra ID P2 license

Policy 5: Require MFA for Medium/High Sign-in Risk

Name: CA005-SignInRisk-RequireMFA
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  Sign-in risk:
    - Medium
    - High
 
Grant:
  Require authentication strength: Multifactor authentication
 
Session:
  Sign-in frequency: Every time

Policy 6: Require Password Change for High User Risk

Name: CA006-UserRisk-PasswordChange
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  User risk:
    - High
 
Grant:
  Require password change
  Require multifactor authentication

Risk Level Explanations:

Risk Level	Example Triggers
Low	Unusual properties for user
Medium	Unfamiliar sign-in properties, anonymous IP
High	Leaked credentials, impossible travel, malware-linked IP

Step 5: Configure Phishing-Resistant MFA

Implement strong authentication methods that resist phishing attacks.

Navigate to: Entra admin center → Protection → Authentication methods

Enable FIDO2 Security Keys:

Go to Authentication methods → FIDO2 security key
Enable for target groups
Configure key restrictions if needed

Enable Windows Hello for Business:

Go to Authentication methods → Windows Hello for Business
Enable for all users or target groups
Configure: Require security key for sign-in: Yes

Enable Passkeys (Microsoft Authenticator):

Go to Authentication methods → Microsoft Authenticator
Enable for all users
Authentication mode: Passkey (preview)

Create Authentication Strength:

Navigate to Protection → Authentication methods → Authentication strengths
Click + New authentication strength
Create: Phishing-Resistant-MFA
Select:
- FIDO2 security key
- Windows Hello for Business
- Passkey in Microsoft Authenticator

Apply to Sensitive Apps:

Name: CA007-PhishResistant-SensitiveApps
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include:
    - Azure portal
    - Microsoft 365 admin center
    - Microsoft Intune
 
Grant:
  Require authentication strength: Phishing-Resistant-MFA

Step 6: Protect Privileged Accounts

Apply enhanced controls to administrative accounts.

Policy 8: Require Compliant Device for Admin Portals

Name: CA008-AdminPortals-CompliantDevice
State: Report-only
 
Users:
  Include:
    - Directory roles: All privileged roles
 
Cloud apps:
  Include:
    - Microsoft Azure Management
    - Microsoft 365 admin center
    - Microsoft Intune
    - Microsoft Entra admin center
 
Grant:
  Require all of the following:
    - Require authentication strength: Phishing-Resistant-MFA
    - Require device to be marked as compliant
 
Session:
  Sign-in frequency: 4 hours
  Persistent browser session: Never persistent

Policy 9: Block Admin Access from Non-Trusted Locations

Name: CA009-AdminPortals-TrustedLocations
State: Report-only
 
Users:
  Include: Directory roles (all privileged roles)
 
Cloud apps:
  Include: Microsoft Azure Management
 
Conditions:
  Locations:
    Include: All locations
    Exclude:
      - Corporate-Offices
      - Trusted VPN IPs
 
Grant:
  Block access

Step 7: Configure Session Controls

Implement session-based controls for additional security.

Sign-in Frequency:

Resource Type	Recommended Frequency
Regular apps	90 days
Sensitive apps	12 hours
Admin portals	4 hours
High-risk sessions	Every time

Persistent Browser Sessions:

Name: CA010-Session-Controls
State: Report-only
 
Users:
  Include: All users
  Exclude: CA-Exclude-BreakGlass
 
Cloud apps:
  Include: All cloud apps
 
Conditions:
  Device state:
    Exclude: Devices marked as compliant
 
Session:
  Sign-in frequency: 1 day
  Persistent browser session: Never persistent

Continuous Access Evaluation (CAE):

CAE is automatically enabled for supported apps and provides near real-time policy enforcement:

Token revocation on password change
Token revocation on user disable
Location policy changes enforced immediately

Step 8: Test in Report-Only Mode

All policies should be tested in Report-only mode before enforcement.

Analyze Policy Impact:

Navigate to Conditional Access → Insights and reporting
Select date range and specific policies
Review:
- Users who would be blocked
- Users who would be required to complete grant controls
- Success/failure breakdown

What-If Tool:

Navigate to Conditional Access → What If
Enter test parameters:
- Select user
- Select cloud app
- Set conditions (location, device, risk)
Click What If
Review which policies would apply

Phased Rollout:

Phase	Duration	Scope
1	2 weeks	IT department only
2	2 weeks	Pilot group (5% of users)
3	2 weeks	Extended pilot (25% of users)
4	1 week	All users (enforcement)

Step 9: Enable Policies

After successful testing, enable policies in production.

Enabling Checklist:

Report-only data reviewed for each policy
No unexpected blocks or failures
Break-glass accounts tested and excluded
Help desk briefed on expected user experience
Communication sent to affected users
Rollback plan documented

Enable Policies:

Navigate to each policy
Change Enable policy from Report-only to On
Save changes
Monitor for issues in first 24-48 hours

Enable Order (Recommended):

CA002 - Block Legacy Auth (low user impact)
CA001 - Require MFA All Users
CA003 - Require Compliant Device
CA004-CA010 - Additional policies

Troubleshooting

Common Issues:

Symptom	Possible Cause	Solution
Unexpected block	Multiple policies combining	Use What-If tool; check grant controls
MFA prompt loop	Authentication method not registered	Verify user has valid MFA method
Device not compliant	Intune sync delay	Sync device in Company Portal; wait 15 min
Sign-in from blocked location	VPN IP not in trusted locations	Add VPN egress IPs to named locations
Break-glass account blocked	Exclusion group not applied	Verify group membership; check policy exclusions

Diagnostic Steps:

# View user's sign-in logs
Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogSignIn -Filter "userId eq '<user-id>'" -Top 10
 
# Check Conditional Access policy application
Get-MgAuditLogSignIn -Filter "userId eq '<user-id>'" | Select-Object -ExpandProperty AppliedConditionalAccessPolicies

Sign-in Log Analysis:

Navigate to: Entra admin center → Monitoring → Sign-in logs

Filter by user or application
Click specific sign-in event
Review Conditional Access tab
Check Report-only vs Applied policies

Security Considerations

Policy Naming Convention:

Use consistent naming for easier management:

CA[###]-[Action]-[Target]
Examples:
CA001-Require-MFA-AllUsers
CA002-Block-LegacyAuth
CA003-Require-Compliance-O365

Regular Policy Review:

Review Item	Frequency
Break-glass account testing	Monthly
Policy effectiveness	Quarterly
Named locations accuracy	Quarterly
Excluded groups audit	Monthly

Avoid Common Mistakes:

Mistake	Impact	Prevention
Blocking all access to Azure portal	Admin lockout	Always exclude break-glass; test in report-only
Forgetting service accounts	App failures	Create service account exclusion group
Overlapping conflicting policies	Unpredictable behavior	Use What-If tool; document policy interactions
Not excluding device registration	Enrollment failures	Exclude device registration cloud apps

Verification Checklist

Configuration:

Break-glass accounts created and secured
Named locations configured (corporate IPs, countries)
Authentication methods enabled (FIDO2, WHfB)
Custom authentication strengths created
Device compliance policies in Intune

Policies Implemented:

Require MFA for all users
Block legacy authentication
Require compliant device for Office 365
Block untrusted countries
Risk-based policies (sign-in and user risk)
Phishing-resistant MFA for sensitive apps
Privileged account protections

Validation:

All policies tested in Report-only mode
What-If tool validated for key scenarios
Break-glass accounts can sign in without CA
Help desk trained on user experience
Rollback procedures documented

Next Steps

After implementing Conditional Access:

Enable Identity Protection - Configure risk remediation policies
Implement PIM - Just-in-time privileged access
Deploy Certificate-Based Auth - Enterprise certificate authentication
Configure Access Reviews - Regular entitlement reviews

References

Last Updated: February 2026