Azure Active Directory Conditional Access Policies: The 2025 Guide

Leave a Comment / IAM / By
An icon of a key unlocking an Azure padlock, symbolizing Azure Conditional Access policies granting secure, identity-based access.

Conditional Access (CA) is Microsoft Entra ID’s Zero-Trust policy engine: it evaluates signals (user, device, location, app, risk) and grants or blocks access—or requires stronger controls like MFA—based on context. Treat it as the front door to everything identity touches. Microsoft Learn

Executive summary (leaders’ cut)

  • Enforce stronger auth with Authentication Strengths and require phishing-resistant MFA for admins and sensitive apps. Microsoft Learn+1
  • Bind tokens to devices with Token Protection; pair with Continuous Access Evaluation (CAE) for near real-time revocation. Microsoft Learn+1
  • Extend CA to service principals via workload identities and adopt role-based scoping. Microsoft Learn+1
  • Block legacy auth, disable public access patterns, and stage every new policy in Report-only before enforcing. Microsoft Learn+1
  • Keep the keys: maintain two emergency access (“break-glass”) accounts excluded from CA—secured with passwordless methods. Microsoft Learn
An icon of a key unlocking an Azure padlock, symbolizing Azure Conditional Access policies granting secure, identity-based access.

What’s new & important in 2025

  • Authentication Strengths → Phishing-resistant MFA is now a first-class grant control (think FIDO2, WHfB, CBA). Use it for admins, high-risk users, and Tier-0 apps. Microsoft Learn+1
  • Token Protection (session control) cryptographically binds refresh tokens to a device, killing token replay from other hosts. Use Require token protection for sign-in sessions in CA. Microsoft Learn+1
  • Continuous Access Evaluation (CAE) enforces revocation and location/risk changes in near real time across Microsoft 365 workloads. Microsoft Learn+1
  • Workload Identities in CA let you apply CA to service principals—close gaps left by human-only policies. Microsoft Learn
  • Policy templates and an advanced deployment guide speed up secure baselines (good for replacing Security Defaults with granular CA). Microsoft Learn+1

Core building blocks (design once, reuse everywhere)

Signals & scope

  • Assignments: users, groups, directory roles, and workload identities. Use role targeting for admin scenarios, group for broad rollouts. Microsoft Learn
  • Target resources: cloud apps, user actions, and authentication contexts (apply stronger auth to specific actions within an app). Microsoft Learn
  • Access controls: Grant (MFA or authentication strength, compliant device, password change, terms of use), or Block. Microsoft Learn

Session & network awareness

  • Session controls: sign-in frequency, persistent browser session, Token Protection, Defender for Cloud Apps (CA App Control) for real-time in-app governance. Microsoft Learn+1
  • Locations: Named locations (countries/IP ranges; mark trusted) and GPS-based signals where appropriate. Microsoft Learn+1

The 10 essential Conditional Access policies (2025)

  1. Block legacy authentication
    Kill IMAP/POP/SMTP Basic and older clients. Start Report-only, fix exceptions, then enforce. Microsoft Learn
  2. Require MFA for all users (auth strength)
    Use Require authentication strength (base “MFA” or “Passwordless”) instead of the older “Require MFA” control. Stage per group, then widen. Microsoft Learn
  3. Require phishing-resistant MFA for administrators & Tier-0 apps
    Scope to built-in admin roles and critical apps; set Phishing-resistant MFA strength. Microsoft Learn+1
  4. Risk-adaptive access
    If sign-in risk is medium/high → require secure password change or block; user risk high → block until remediated. (Entra ID Protection signals.) Microsoft Learn+1
  5. Token Protection for sign-in sessions
    Require device-bound refresh tokens for browser/cloud apps where supported. Microsoft Learn
  6. Continuous Access Evaluation-aligned session controls
    Adopt CAE and sensible sign-in frequency for admin portals and finance/legal apps. Microsoft Learn+1
  7. Named locations policy
    Allow from trusted countries/IPs; block high-risk geos. Document exceptions; prefer device-based trust over location where possible. Microsoft Learn
  8. Require compliant or Entra-joined device for privileged access
    Pair with Intune compliance and PIM activation (JIT) for admin roles. Microsoft Learn
  9. Terms of Use (ToU) for admin portals & sensitive apps
    Gate access on ToU acceptance; require per-device acceptance if needed. Microsoft Learn
  10. Workload identities (service principals) CA
    Apply CA to non-human identities hitting sensitive APIs (location/risk conditions). Microsoft Learn

Safety net: keep two emergency access accounts excluded from CA (with passwordless strong auth) to avoid lockouts. Audit them quarterly. Microsoft Learn

Reference designs (ready-to-implement)

A. Admin roles → Phishing-resistant MFA

  • Users/roles: built-in admin roles (Global Admin, Privileged Role Admin, etc.).
  • Target resources: All resources.
  • Grant: Require authentication strength → Phishing-resistant MFA.
  • Exclusions: emergency access accounts. Stage in Report-only first. Microsoft Learn+2Microsoft Learn+2

B. Block legacy auth (tenant-wide)

  • Users: All users (exclude emergency access during rollout).
  • Conditions: Client apps → legacy auth.
  • Grant: Block access. Start Report-only and fix SMTP/POP app fallbacks before enforcing. Microsoft Learn

C. Token Protection for M365

  • Users: All users (phase by group).
  • Target: Microsoft 365 suite.
  • Session control: Require token protection for sign-in sessions. Monitor breakage, then enforce. Microsoft Learn

D. Risk-based sign-ins

  • Condition: Sign-in risk = Medium/High.
  • Grant: Require password change or block if unregistered for MFA. Microsoft Learn

E. External/B2B guests → Stronger auth

  • Users: Guests & external.
  • Grant: Authentication strength (at least MFA; for sensitive apps use Phishing-resistant). Microsoft Learn

How to roll out without breaking things

  1. Map dependencies & pilot
    Inventory apps and protocols that still rely on legacy auth. Flag SMTP/POP and legacy device profiles. Microsoft Learn
  2. Use Report-only (and the Insights & reporting workbook)
    See impact in sign-in logs before enforcing; fix edge cases first. Microsoft Learn+1
  3. Replace Security Defaults with CA templates
    If you move beyond Security Defaults, disable them and deploy Microsoft-recommended policy templates for a granular baseline. Microsoft Learn+1
  4. Name, group, and tier your policies
    Adopt a naming standard (CA-PRD-Admin-PhishResistantMFA) and tier by sensitivity.
  5. Exclude break-glass—securely
    Two emergency accounts, passwordless methods, strong storage process, periodic access reviews. Microsoft Learn

Admin tips that save you hours

  • Authentication context = apply stronger auth to a specific action (e.g., approve vendor payment) inside an app—less user friction overall. Microsoft Learn
  • Named locations: keep them accurate; prefer device and risk signals over location alone. Microsoft Learn
  • CAE + sign-in frequency: CAE handles revocation; don’t over-prompt users. Balance security with productivity. Microsoft Learn+1
  • Defender for Cloud Apps integration (CA App Control) enables session-level actions like watermarking, download blocks in SaaS. Microsoft Learn

30-Day Conditional Access plan (ship in sprints)

Week 1 – Baseline & safety net

  • Create two emergency access accounts; exclude from CA.
  • Turn on Report-only copies of: Block legacy auth, Require MFA (auth strength), Admin phishing-resistant MFA. Microsoft Learn+2Microsoft Learn+2

Week 2 – Risk & sessions

  • Add sign-in risk policy; scope to all users (exclude emergency accounts).
  • Pilot Token Protection with M365 apps for a subset; validate SSO device posture. Microsoft Learn+1

Week 3 – Network & external

  • Stand up Named locations (trusted ranges/countries).
  • Require stronger auth for guests/external on sensitive apps. Microsoft Learn+1

Week 4 – Enforce & monitor

  • Flip key policies from Report-only → On.
  • Monitor Insights & reporting, iterate based on sign-ins and user feedback. Microsoft Learn

FAQ

Is Conditional Access the same as Security Defaults?
No. Security Defaults are a basic, one-size-fits-most preset. Conditional Access is granular and replaces Security Defaults when you need custom policies. Don’t use both together. Microsoft Learn+1

What’s the difference between “Require MFA” and “Authentication Strength”?
“Require MFA” is legacy-style. Authentication Strength lets you specify which methods (e.g., Phishing-resistant MFA) must be used—ideal for admins and sensitive apps. Microsoft Learn

Do I still need VPN if I use CA and CAE?
CA/CAE protect identity paths and sessions; VPN solves network reachability. You can reduce VPN reliance for web/SaaS apps, but keep it for non-HTTP or legacy protocols. Microsoft Learn

How do I avoid locking myself out?
Maintain two emergency access accounts excluded from CA and secured with passwordless methods (e.g., FIDO2). Test quarterly. Microsoft Learn

Can I apply CA to service principals?
Yes—use Conditional Access for workload identities to control non-human access to APIs/resources.

No post found!

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe