Conditional Access
Configure identity-driven access policies that evaluate conditions like user, device, location, and risk to determine access decisions. The foundation of Zero Trust security.
Warning: Conditional Access requires Azure AD Premium P1 or P2. Some features like risk-based policies require P2.
Policy List
View all Conditional Access policies with:
| Column | Description |
|---|---|
| Policy Name | Descriptive name for the policy |
| State | On, Off, or Report-only |
| Users | Targeted users/groups |
| Apps | Targeted applications |
| Conditions | Location, device, risk level |
| Grant Controls | Required controls (MFA, compliant device, etc.) |
| Created | Policy creation date |
Policy Components
Assignments (Who/What)
Users and Groups
Include/exclude specific users, groups, directory roles, or guest users. Always exclude break-glass accounts.
Cloud Apps or Actions
Target specific apps (Office 365, Azure Management), all apps, or user actions (register security info, register devices).
Conditions (When)
User Risk (P2)
Leaked credentials, anomalous behavior. Levels: High, Medium, Low.
Sign-in Risk (P2)
Suspicious sign-in patterns. Anonymous IP, atypical travel, malware-linked IP.
Device Platforms
Windows, macOS, iOS, Android, Linux. Apply different policies per platform.
Locations
Named locations (IP ranges, countries). Trust corporate network, block high-risk countries.
Client Apps
Browser, mobile apps, desktop clients, legacy auth (block this!).
Device State
Hybrid Azure AD joined, marked as compliant, or device filter rules.
Access Controls (Then)
Grant Controls
- Block access
- Require MFA
- Require compliant device
- Require Hybrid Azure AD join
- Require approved client app
- Require app protection policy
- Require password change (P2)
Session Controls
- App-enforced restrictions
- Conditional Access App Control (MCAS)
- Sign-in frequency
- Persistent browser session
- Continuous access evaluation
Common Policy Templates
Require MFA for All Users
Users: All users (exclude break-glass) -> Apps: All cloud apps -> Grant: Require MFA
Block Legacy Authentication
Users: All users -> Apps: All apps -> Condition: Legacy auth clients -> Grant: Block
Require Compliant Device for Office Apps
Users: All users -> Apps: Office 365 -> Grant: Require compliant device
Require MFA for Risky Sign-ins
Users: All users -> Condition: Sign-in risk Medium+ -> Grant: Require MFA
Block Access from Untrusted Countries
Users: All users -> Condition: Location not in trusted countries -> Grant: Block
Report-Only Mode
Test policies without enforcing them. Report-only policies log what would happen if the policy were enabled. Use this to validate policies before deployment.
- View impact in Sign-in logs (Conditional Access column)
- Check for unintended blocks before enabling
- Validate all user scenarios are covered
- Run for at least 1-2 weeks before enabling
Graph API Endpoints
GET /identity/conditionalAccess/policiesPOST /identity/conditionalAccess/policiesPATCH /identity/conditionalAccess/policies/{id}DELETE /identity/conditionalAccess/policies/{id}GET /identity/conditionalAccess/namedLocations
API Reference
GET /api/security-defender/conditional-access— List all Conditional Access policiesPOST /api/security-defender/conditional-access— Create new policyPUT /api/security-defender/conditional-access/:policyId— Update policyPOST /api/security-defender/conditional-access/templates— Apply a policy template