Conditional Access Policies Every Organization Should Review

Conditional Access is the most powerful identity control available in Microsoft 365. It is also the easiest to misconfigure in a way that is invisible until it matters. Every Conditional Access engagement Cleverina runs reviews the same core policy set; this article documents the list so you can run the review yourself.

1. Block legacy authentication

Legacy authentication protocols cannot enforce MFA and are a primary target for password-spray attacks. There should be a Conditional Access policy that blocks legacy auth for all users, with no exclusions other than documented service accounts that have a compensating control. If your tenant does not have this policy, it is the first one to create.

2. Require MFA for all users — with phishing-resistant methods preferred

Baseline MFA for all users is table stakes. The review questions are: which authentication methods are permitted, are SMS and voice still allowed, and is phishing-resistant MFA (FIDO2, Windows Hello for Business, certificate-based authentication) the preferred method? Migrating away from SMS should be on the roadmap if it is still in use.

3. Require MFA for administrators with stricter controls

Privileged roles should have their own Conditional Access policy requiring phishing-resistant MFA, compliant or hybrid-joined devices, and ideally session controls that prevent persistent sign-ins. Combine with Privileged Identity Management so the role is just-in-time, not standing.

4. Block or restrict access from unmanaged devices

For sensitive applications — Exchange, SharePoint, admin portals — access from unmanaged devices should be restricted, with browser-only sessions and download controls applied via app-enforced restrictions or Defender for Cloud Apps session policies. Full block is the cleanest option where the workforce allows it.

5. Risk-based policies

If the tenant is licensed for Entra ID P2, sign-in risk and user risk policies should be enabled. Typical configuration: medium sign-in risk requires MFA, high sign-in risk blocks the sign-in, and high user risk requires a secure password change. Without these, Identity Protection telemetry is generated and ignored.

6. Country and location controls

Named locations should be defined for trusted countries and corporate offices. A policy blocking sign-ins from countries where the organization has no users or business — refreshed at least annually — removes a large category of opportunistic attack traffic. Pair with a separate policy covering impossible-travel scenarios.

7. Device compliance enforcement

If Intune is in use, Conditional Access should require devices to be compliant for access to Microsoft 365 services. The review confirms that every supported device platform has a compliance policy, that the policies are enforced and not just monitored, and that grace periods have not been left open indefinitely.

8. Exclusions, break-glass and reporting

Every Conditional Access policy needs a documented break-glass exclusion (typically two cloud-only accounts with FIDO2 keys, monitored for use). Review every other exclusion every quarter — temporary exclusions tend to become permanent. Run the policies in report-only mode after any significant change before flipping them back to enabled.

An anonymized example

A 250-person organization had nine Conditional Access policies, six of which had user or group exclusions added over the previous year for various project-driven reasons. None of the exclusions were documented. A quarterly review identified that two excluded groups contained members no longer involved in the original projects, including one with privileged role assignments. The exclusions were removed within an afternoon. No control gap had been exploited — but the window had been open for months.

Practical recommendations

• Schedule a quarterly Conditional Access review with a documented checklist.
• Treat every exclusion as a time-bound exception with an owner and renewal date.
• Use report-only mode before enabling any significant policy change.
• Export the policy set regularly as part of your governance evidence pack.

Conclusion

Conditional Access rewards discipline and punishes drift. A short quarterly review using the list above catches most of the silent regressions before they become incidents. If you would like help running the first one or building it into a wider Microsoft governance program, our services page is a good starting point.