Deep Dive into Conditional Access Policies part 1

Entra ID Conditional Access Policy Evaluation: A Breakdown

PhaseDescriptionApplies To
1: Signal CollectionGathers information about the user’s access attempt.
Examples: Network location (IP address), device identity (type, OS version).

Applies to all enabled Conditional Access policies, including those in report-only mode.
Enabled & Report-Only Policies
2: Policy EnforcementUses collected signals to evaluate applicable policies. If a policy with “block grant control” is not met, access is denied.
If access isn’t blocked, users may be prompted to fulfill unmet policy requirements in this order:

1. Multi-factor Authentication (MFA)
2. Device compliance
3. Microsoft Entra hybrid joined device
4. Approved client app
5. App protection policy
6. Password change
7. Terms of use acceptance
8. Custom controls

Once all requirements are met, session controls are applied (App Enforced, Defender for Cloud Apps, token lifetime).
Enabled Policies Only
3: (Optional) Continuous Access EvaluationApplies to specific client applications and resource providers. Monitors user activity and enforces policy throughout the session (e.g., re-prompting for MFA).Enabled Policies (limited scenarios)
AssignmentsDefines which users or groups the policy applies to. Not a separate phase but a crucial configuration element for each policy.

Entra ID Conditional Access Policy Configuration: Breakdown


Users & GroupsDefine who the policy applies to (include/exclude):
All users
Specific user groups
Directory roles
External guests
Cloud Apps or ActionsDefine which applications or actions are affected:
Include/exclude specific cloud applications
User actions (e.g., registering security information)
Authentication contexts (e.g., location)

And you can also Exclude the same users, groups and roles. This could be handy if you want to build different rules for different groups

And to what Target resource(s) they will be applied or excluded from

Custom Security Attributes are super useful, in many ways and I will cover these later in my posts.

Some use cases:

  • Purview Data policies
  • Microsoft Entra users
  • Microsoft Entra enterprise applications (service principals)

But more on these in later posts.

Access Controls

User and Sign-in RiskLeverage risk detections from Microsoft Entra ID Protection to influence policy decisions
Insider riskInsider risk, configured in Adaptive Protection, assesses risk based on a user’s risky data related activities. 
Device PlatformsTarget specific device operating systems (consider limitations of platform detection)
LocationsConnect IP addresses, geographies, and trusted networks to policy decisions. Administrators can define trusted locations.
Client AppsSpecify the software used for cloud app access (e.g., browser, mobile apps).
By default, all client apps are included unless configured otherwise.
Filter for DevicesTarget devices based on specific attributes within a policy.
Authentication flowsHow your organization uses certain authentication and authorization protocols and grants

For more information on Insider Risk condition, see my previous posts

Authentication flows is also a super-useful feature.

FlowDescriptionRiskUse CasesConsiderations
Device Code FlowUsed for devices without local input (kiosks, digital signage). User gets a code to enter on another device.HighShared devices, conference room devices– Block whenever possible. – Limit by device type and location in Conditional Access.
Authentication TransferTransfers authentication state between devices (e.g., QR code from desktop to mobile).LowerImproved user experience for multi-device usage– Currently in preview. – Managed through Conditional Access.

Additional Information

  • Protocol Tracking: Tracks sessions using device code flow or authentication transfer for Conditional Access enforcement.
  • Sign-in Logs: Use report-only mode or filter by “authentication protocol” to understand device code flow usage in your organization.
  • Troubleshooting: “original transfer method” property added to sign-in logs to identify protocol tracking state.


GrantDefines enforcement actions: Block or grant access.
Block AccessPrevents access under specified assignments (use with caution).
Grant AccessTriggers enforcement of one or more controls:
Require Multi-Factor Authentication (MFA)
Require authentication strength
Require device compliance
Require Microsoft Entra hybrid joined device
Require approved client app
Require app protection policy
Require password change
Require terms of use acceptance
Control SelectionRequire all selected controls (strict enforcement).
Require one of the selected controls (more flexible). (Default: require all)

When you another Terms of Use

You will see it under Grant. The limit for them is 40 per tenant

But don’t necessarily understand why I even want this many display without a dropdown?

Microsoft possible had a plan or they just didn’t limit it for the policies.

Then to the last part of a Policy

Session Controls

Use App Enforced RestrictionsLimits user experience within specific applications (currently Exchange Online & SharePoint Online).
Use Conditional Access App ControlLeverages Microsoft Defender for Cloud Apps to:

Block data transfer of sensitive documents.
Monitor risky session behavior.
Enforce data labeling.
FrequencyCustomize the frequency for modern authentication prompts.
Persistent Browser SessionAllow users to remain signed in after browser restarts.
Continuous Access EvaluationOptionally customize continuous monitoring during sessions (advanced configuration).
Disable resilience defaultsDuring an outage, Microsoft Entra ID will extend access to existing sessions while enforcing Conditional Access policies. If a policy cannot be evaluated, access is determined by resilience settings. If resilience defaults are disabled, access is denied once existing sessions expire.
Require token protection for sign-in sessionsA secure sign-in session requires all long-lived tokens (the Microsoft Entra session cookie and refresh token) to be bound to the device using software key binding or hardware security module binding where available.


This the the introduction to Conditional Access Policies and how they work, in next part we will go a little bit deeper on how they work.

Author: Harri Jaakkonen