Azure AD Conditional Access Policies: A Complete Setup Guide

Azure AD Conditional Access Policies: A Complete Setup Guide

Conditional Access is one of the most powerful security features available in Microsoft 365 and Azure AD. For MSPs and MSSPs managing multiple enterprise environments, mastering Conditional Access policies is essential to implementing zero trust security architecture and protecting against sophisticated threat actors.

This comprehensive guide walks you through setting up Conditional Access policies that balance security with user productivity—a critical balance for managed service providers supporting diverse client environments.

Understanding Conditional Access Fundamentals

Conditional Access evaluates signals at sign-in time and makes intelligent decisions about granting, denying, or requiring additional verification. Rather than implementing a one-size-fits-all approach, you can create policies that:

• Require multi-factor authentication (MFA) for high-risk sign-ins
• Block access from unmanaged devices or suspicious locations
• Enforce compliance requirements before granting access
• Apply different rules based on user role, application, and risk level

This granular control is what separates reactive security from proactive protection—exactly what your clients need.

Prerequisites and Licensing

Before implementing Conditional Access, ensure your clients have the appropriate licensing:

• Azure AD Premium P1 minimum (required for basic Conditional Access)
• Azure AD Premium P2 recommended (includes risk-based policies and advanced features)
• Microsoft 365 E3/E5 or equivalent licenses that include Azure AD Premium

Verify licensing in Azure AD > Licenses > All products to confirm Conditional Access capabilities are available.

Step 1: Enable MFA Baseline Protection

Start with Microsoft-recommended security defaults or configure MFA baseline policies:

1. Navigate to Azure AD > Conditional Access
2. Create a new policy named “Require MFA for All Users”
3. Set Users or workload identities > Include: All users
4. Set Target resources > Cloud apps or actions > Office 365 (or specific apps)
5. Set Access controls > Grant > Require multi-factor authentication
6. Set Enable policy to On

This baseline policy ensures attackers cannot bypass authentication even with stolen passwords.

Step 2: Block Legacy Authentication

Legacy authentication protocols (like SMTP, POP, IMAP) lack MFA support and are common attack vectors:

1. Create policy: “Block Legacy Authentication”
2. Set Users > Include: All users
3. Set Cloud apps > Include: Office 365
4. Go to Conditions > Client apps > Enable: Yes
5. Select Exchange ActiveSync clients, Other clients, IMAP, POP, SMTP
6. Set Access controls > Block

Legacy authentication accounts for significant security incidents. Blocking it entirely is a best practice.

Step 3: Implement Device Compliance Requirements

For enterprise environments, require devices to be compliant with corporate standards:

1. Create policy: “Require Compliant or Azure AD Joined Devices”
2. Set Cloud apps > Office 365 or specific high-value apps
3. Go to Access controls > Grant
4. Select Require device to be marked as compliant and/or Require Azure AD hybrid joined device
5. For For multiple controls, select “Require all the selected controls”

This ensures only managed, compliant devices access sensitive data.

Step 4: Configure Location-Based Policies

Restrict access based on geographic location to prevent unauthorized access from unusual locations:

1. Create policy: “Block Access from Untrusted Locations”
2. Set Conditions > Locations > Enable: Yes
3. Select Any location or Selected locations based on your client’s needs
4. For high-risk scenarios, block “Countries not in scope” or known threat regions
5. Set Access controls > Block

Many organizations block access from countries outside their operations or from VPN/proxy services.

Step 5: Risk-Based Authentication (Premium P2)

With Azure AD Premium P2, implement dynamic risk assessment:

1. Create policy: “Require MFA for Medium or High Risk Sign-ins”
2. Set Conditions > Sign-in risk > Enable: Yes
3. Select Medium and above
4. Set Access controls > Grant > Require multi-factor authentication

Azure AD’s identity protection automatically calculates risk based on:

• Impossible travel detections
• Unfamiliar sign-in properties
• Leaked credentials alerts
• Anonymous IP usage

Best Practices for MSPs

When rolling out Conditional Access across multiple clients:

• Pilot first: Test policies with a pilot group before enterprise-wide deployment
• Create exclusion groups: For emergency access scenarios (break-glass accounts)
• Document everything: Maintain detailed policy documentation for audit trails
• Monitor continuously: Review sign-in logs and policy impact regularly
• Iterate based on data: Use real-world sign-in patterns to refine policies
• Communicate changes: Prepare end-users for MFA enrollment and new requirements

Common Implementation Mistakes to Avoid

Blocking admin accounts: Never apply strict policies to your own admin/break-glass accounts. Create an exclusion group for emergency scenarios.

Overly restrictive policies: Policies that create too much friction cause users to disable MFA or seek workarounds. Balance security with usability.

Forgetting about service accounts: Bot accounts and service principals bypassing Conditional Access create security gaps. Apply policies thoughtfully to non-interactive sign-ins.

Neglecting hybrid environments: If clients use on-premises resources, consider policies that account for device synchronization and federation complexity.

Monitoring and Optimization

After implementing policies:

1. Review Sign-in logs in Azure AD to see policy impact
2. Filter by policy name to understand which policies block legitimate users
3. Adjust policies if legitimate business users are consistently blocked
4. Use Conditional Access analytics to measure adoption and effectiveness

Look for patterns in blocked sign-ins—they often reveal misconfigured policies or legitimate business scenarios requiring exceptions.

Advanced: Custom Authentication Context

For maximum control, define custom authentication contexts based on business requirements:

• Financial transactions: Require device compliance + MFA + location restriction
• Sensitive data access: Add approval workflow before granting access
• Administrative actions: Require passwordless sign-in (Windows Hello or FIDO2)

This approach ensures security posture matches data sensitivity.

Conclusion

Conditional Access is fundamental to zero trust security in Microsoft 365. By systematically implementing these policies, you’re:

• Closing authentication attack vectors
• Enforcing device compliance standards
• Detecting and responding to suspicious activity
• Meeting regulatory compliance requirements

Your clients’ security posture dramatically improves when Conditional Access works alongside other M365 security features like Microsoft Defender for Identity and Advanced Threat Protection.

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment.