Conditional access is Entra ID's most powerful security control — and the one most likely to either leave gaps or lock out your own team if it's designed poorly. The goal isn't maximum restriction; it's risk-proportionate access.
Start with a baseline, not an all-or-nothing policy
Rather than one giant policy trying to cover every scenario, build a layered set: a baseline MFA requirement for everyone, then progressively stricter policies for higher-risk scenarios (admin roles, sensitive apps, unmanaged devices).
The policies that matter most
- Require MFA for all users — the single highest-impact policy you can deploy.
- Block legacy authentication — protocols like POP, IMAP, and older Office clients don't support modern auth and bypass conditional access entirely.
- Require compliant or hybrid-joined devices for sensitive apps — separates managed corporate devices from personal or unknown devices.
- Require MFA for Azure management — protects your cloud infrastructure specifically, separate from general app access.
- Block access by location — restrict sign-ins from countries where you have no employees or business need, as a coarse but effective filter.
Avoiding the lockout trap
Testing before enforcing
Entra ID's "Report-only" mode lets you see exactly who would be blocked by a new policy before it actually enforces anything. Run every new policy in report-only for at least a week, review the sign-in logs for unexpected impact, then switch to enforced.
Session controls matter as much as sign-in controls
Conditional access isn't just about the login moment — session controls let you force reauthentication after a set period, restrict downloads on unmanaged devices, or limit session duration entirely for high-risk applications. This is especially relevant for SaaS companies handling customer data, where a stolen or shared laptop session is a real risk vector.
Bottom line
Well-designed conditional access should be invisible to legitimate users doing normal work, and a hard wall against everything else. If your team is complaining about being blocked constantly, the policies need tuning — not removal.