Conditional access policies offer a powerful way to harden your Microsoft Entra tenant. They go beyond basic security defaults and give administrators granular control over specific conditions required for access. They allow for more precise controls, such as adjusting sign-in frequency and requiring MFA only for high-risk activities or sensitive resources.

Disable security defaults

To implement conditional access, first disable Microsoft’s security defaults. In the Microsoft Entra admin center, under the Overview tab and Properties, toggle to disable security defaults. Some tenants may not have security defaults enabled depending on the creation date, but for organizations that signed up after 2019, security defaults are likely already enabled. Once security defaults are disabled, you can create customized, flexible policies for conditional access.

Core policies to replicate security defaults

When configuring conditional access, we recommend replicating the protections provided by security defaults using four core policies. Many of these are available as templates:

• Disable legacy authentication: Legacy authentication methods are less secure and should be blocked. While some older applications may still rely on them, most current environments no longer need them. You can apply this policy in report-only mode to detect potential issues before enforcement.

• Require MFA for all users, especially admins: MFA should be enabled wherever possible. Avoid SMS-based MFA due to SIM-swapping risks. Microsoft highlights the importance of MFA for IT staff and administrators, but it is equally important for all users. Unauthorized email access can lead to malicious file sync via OneDrive. MFA settings can be managed under the “identity users” menu, although Microsoft plans to move this control to the admin center in September.

• Require MFA for Azure management: This policy applies specifically to access attempts through tools like Azure CLI or the Azure portal.

• Exclude break-glass accounts: Emergency or automation accounts (sometimes called break-glass accounts) should typically be excluded from conditional access policies. We recommend to create a separate set of conditional access policies for these types of accounts to ensure that they stay secure as well.

Deployment and granular control strategies

Conditional access enables a high level of specificity. Here are some common strategies:

• Country restrictions: If your organization does not operate internationally, you can block access from specific countries. For traveling users, apply exclusions to help maintain uninterrupted access.

• IP restrictions: Build policies that limit access to certain IP ranges. For example, a sales team working exclusively from the office could be restricted from logging in via home networks or mobile devices.

• Device platform restrictions: You can block access from certain device types, such as macOS or Linux, as needed.

• Report-only mode and simulation: Before enforcing any policy, test it using report-only mode. This allows you to review simulated blocks without disrupting users. The conditional access simulator in Microsoft 365 (under Conditional Access Policies) is a valuable tool. You can also use sign-in logs to filter Conditional Access logs as a whole or specific policies you’ve implemented.

• Apply policies to a set of users: Instead of enforcing blanket policies across your entire organization, start by testing with a limited group to identify and resolve any unforeseen issues.

• User communication: Communicate planned changes to users. Encourage feedback to identify issues early, so you can roll back or adjust policies as needed.

ThreatLocker tools for identity hardening

ThreatLocker complements conditional access with two identity-focused tools:

• Cloud Detect: This product extends deep into your Microsoft 365 environment, giving you powerful visibility and control. It continuously monitors M365 logs and flags real threats, like leaked credentials, suspicious sign-ins, impossible travel, and risky behavior that often goes unnoticed. Best of all, you set the rules. With fully customizable policies using Microsoft 365 and Graph API log fields, Cloud Detect alerts you promptly, so you can respond faster and stay ahead of evolving threats.

• ThreatLocker Access App: This standalone app (not to be confused with the admin app) reports a user’s IP and location to ThreatLocker. It can work alongside conditional access policies to allow logins only from trusted, dynamically updated IPs from managed devices. This adds a significant layer of defense against token theft.

Key takeaway

When properly implemented and tested, conditional access provides robust, granular control over who can access what, and from where. Using report-only mode and leveraging ThreatLocker tools can help maintain a secure, seamless rollout.

‍