Entra ID

Conditional Access Best Practices in Entra ID

Published July 6, 2026 · 6 min read

Conditional access is Entra ID's most powerful security control — and the one most likely to either leave gaps or lock out your own team if it's designed poorly. The goal isn't maximum restriction; it's risk-proportionate access.

Start with a baseline, not an all-or-nothing policy

Rather than one giant policy trying to cover every scenario, build a layered set: a baseline MFA requirement for everyone, then progressively stricter policies for higher-risk scenarios (admin roles, sensitive apps, unmanaged devices).

The policies that matter most

  1. Require MFA for all users — the single highest-impact policy you can deploy.
  2. Block legacy authentication — protocols like POP, IMAP, and older Office clients don't support modern auth and bypass conditional access entirely.
  3. Require compliant or hybrid-joined devices for sensitive apps — separates managed corporate devices from personal or unknown devices.
  4. Require MFA for Azure management — protects your cloud infrastructure specifically, separate from general app access.
  5. Block access by location — restrict sign-ins from countries where you have no employees or business need, as a coarse but effective filter.

Avoiding the lockout trap

Always maintain at least one emergency access ("break glass") account excluded from conditional access policies, with a long, complex password stored securely offline. Misconfigured conditional access is one of the most common causes of full tenant lockouts — don't let a policy update lock out every admin simultaneously.

Testing before enforcing

Entra ID's "Report-only" mode lets you see exactly who would be blocked by a new policy before it actually enforces anything. Run every new policy in report-only for at least a week, review the sign-in logs for unexpected impact, then switch to enforced.

Session controls matter as much as sign-in controls

Conditional access isn't just about the login moment — session controls let you force reauthentication after a set period, restrict downloads on unmanaged devices, or limit session duration entirely for high-risk applications. This is especially relevant for SaaS companies handling customer data, where a stolen or shared laptop session is a real risk vector.

Bottom line

Well-designed conditional access should be invisible to legitimate users doing normal work, and a hard wall against everything else. If your team is complaining about being blocked constantly, the policies need tuning — not removal.

Need help designing your conditional access policies?

We'll build a policy set tuned to your actual risk profile.