Table of Contents
Entra ID Conditional Access Policy Evaluation: A Breakdown
Phase | Description | Applies To |
---|---|---|
1: Signal Collection | Gathers information about the user’s access attempt. Examples: Network location (IP address), device identity (type, OS version). Applies to all enabled Conditional Access policies, including those in report-only mode. | Enabled & Report-Only Policies |
2: Policy Enforcement | Uses collected signals to evaluate applicable policies. If a policy with “block grant control” is not met, access is denied. If access isn’t blocked, users may be prompted to fulfill unmet policy requirements in this order: 1. Multi-factor Authentication (MFA) 2. Device compliance 3. Microsoft Entra hybrid joined device 4. Approved client app 5. App protection policy 6. Password change 7. Terms of use acceptance 8. Custom controls Once all requirements are met, session controls are applied (App Enforced, Defender for Cloud Apps, token lifetime). | Enabled Policies Only |
3: (Optional) Continuous Access Evaluation | Applies to specific client applications and resource providers. Monitors user activity and enforces policy throughout the session (e.g., re-prompting for MFA). | Enabled Policies (limited scenarios) |
Assignments | Defines which users or groups the policy applies to. Not a separate phase but a crucial configuration element for each policy. |
Entra ID Conditional Access Policy Configuration: Breakdown
Assignments
Element | Description |
---|---|
Users & Groups | Define who the policy applies to (include/exclude): All users Specific user groups Directory roles External guests |
Cloud Apps or Actions | Define which applications or actions are affected: Include/exclude specific cloud applications User actions (e.g., registering security information) Authentication contexts (e.g., location) |
And you can also Exclude the same users, groups and roles. This could be handy if you want to build different rules for different groups
And to what Target resource(s) they will be applied or excluded from
Custom Security Attributes are super useful, in many ways and I will cover these later in my posts.
Some use cases:
- Purview Data policies
- Microsoft Entra users
- Microsoft Entra enterprise applications (service principals)
But more on these in later posts.
Access Controls
Element | Description |
---|---|
User and Sign-in Risk | Leverage risk detections from Microsoft Entra ID Protection to influence policy decisions |
Insider risk | Insider risk, configured in Adaptive Protection, assesses risk based on a user’s risky data related activities. |
Device Platforms | Target specific device operating systems (consider limitations of platform detection) |
Locations | Connect IP addresses, geographies, and trusted networks to policy decisions. Administrators can define trusted locations. |
Client Apps | Specify the software used for cloud app access (e.g., browser, mobile apps). By default, all client apps are included unless configured otherwise. |
Filter for Devices | Target devices based on specific attributes within a policy. |
Authentication flows | How your organization uses certain authentication and authorization protocols and grants |
For more information on Insider Risk condition, see my previous posts
Authentication flows is also a super-useful feature.
Flow | Description | Risk | Use Cases | Considerations |
---|---|---|---|---|
Device Code Flow | Used for devices without local input (kiosks, digital signage). User gets a code to enter on another device. | High | Shared devices, conference room devices | – Block whenever possible. – Limit by device type and location in Conditional Access. |
Authentication Transfer | Transfers authentication state between devices (e.g., QR code from desktop to mobile). | Lower | Improved user experience for multi-device usage | – Currently in preview. – Managed through Conditional Access. |
Additional Information
- Protocol Tracking: Tracks sessions using device code flow or authentication transfer for Conditional Access enforcement.
- Sign-in Logs: Use report-only mode or filter by “authentication protocol” to understand device code flow usage in your organization.
- Troubleshooting: “original transfer method” property added to sign-in logs to identify protocol tracking state.
Conditions
Element | Description |
---|---|
Grant | Defines enforcement actions: Block or grant access. |
Block Access | Prevents access under specified assignments (use with caution). |
Grant Access | Triggers enforcement of one or more controls: Require Multi-Factor Authentication (MFA) Require authentication strength Require device compliance Require Microsoft Entra hybrid joined device Require approved client app Require app protection policy Require password change Require terms of use acceptance |
Control Selection | Require all selected controls (strict enforcement). Require one of the selected controls (more flexible). (Default: require all) |
When you another Terms of Use
You will see it under Grant. The limit for them is 40 per tenant
But don’t necessarily understand why I even want this many display without a dropdown?
Microsoft possible had a plan or they just didn’t limit it for the policies.
Then to the last part of a Policy
Session Controls
Element | Description |
---|---|
Use App Enforced Restrictions | Limits user experience within specific applications (currently Exchange Online & SharePoint Online). |
Use Conditional Access App Control | Leverages Microsoft Defender for Cloud Apps to: Block data transfer of sensitive documents. Monitor risky session behavior. Enforce data labeling. |
Sign-in Frequency | Customize the frequency for modern authentication prompts. |
Persistent Browser Session | Allow users to remain signed in after browser restarts. |
Continuous Access Evaluation | Optionally customize continuous monitoring during sessions (advanced configuration). |
Disable resilience defaults | During an outage, Microsoft Entra ID will extend access to existing sessions while enforcing Conditional Access policies. If a policy cannot be evaluated, access is determined by resilience settings. If resilience defaults are disabled, access is denied once existing sessions expire. |
Require token protection for sign-in sessions | A secure sign-in session requires all long-lived tokens (the Microsoft Entra session cookie and refresh token) to be bound to the device using software key binding or hardware security module binding where available. |
Closure
This the the introduction to Conditional Access Policies and how they work, in next part we will go a little bit deeper on how they work.