Back to Blog
Guides
9 min read

Microsoft Entra Conditional Access: The 4-Tier Policy Framework That Works

Most Conditional Access deployments fail because of policy conflicts, admin lockouts, or gaps that leave attack vectors open. This framework organizes policies into four tiers that are secure, maintainable, and won not break your users.

Nikolai Poverud

Founder & CEO

·January 5, 2025

The Conditional Access Policy That Locked Out Every Admin

A few months ago, an IT manager at a 400-person company called us in a panic. They'd deployed a new Conditional Access policy requiring compliant devices for all admin access. Good idea in theory.

The problem: their MFA provider had a brief outage that morning. The "compliant device" check failed. Every admin was locked out of Azure and Microsoft 365. Their emergency access accounts? Also covered by the policy, they'd forgotten to exclude them.

It took 4 hours and a support call to Microsoft to regain access.

This is the reality of Conditional Access: it's Microsoft's most powerful Zero Trust tool, and one of the easiest to misconfigure. The difference between a secure tenant and an admin lockout is often a single checkbox.

This guide gives you a framework for getting it right.

The Policy Framework

Tier 1: Foundation Policies

These apply to everyone, always:

Policy: Require MFA for All Users

  • Assignments: All users
  • Cloud apps: All cloud apps
  • Conditions: Any
  • Grant: Require MFA
  • Exceptions: Emergency access accounts

Policy: Block Legacy Authentication

  • Assignments: All users
  • Cloud apps: All cloud apps
  • Conditions: Client apps = Legacy clients
  • Grant: Block
  • Exceptions: None

Tier 2: Risk-Based Policies

These respond to detected risk:

Policy: Block High-Risk Sign-ins

  • Assignments: All users
  • Cloud apps: All cloud apps
  • Conditions: Sign-in risk = High
  • Grant: Block
  • Exceptions: Emergency access accounts

Policy: Require Password Change for High-Risk Users

  • Assignments: All users
  • Conditions: User risk = High
  • Grant: Require password change + MFA

Tier 3: Administrative Policies

Stricter controls for privileged users:

Policy: Require Compliant Device for Admins

  • Assignments: Directory roles (Admin roles)
  • Cloud apps: All cloud apps
  • Grant: Require compliant device + MFA
  • Exceptions: Emergency access accounts

Policy: Block Admin Access from Non-Trusted Locations

  • Assignments: Directory roles (Admin roles)
  • Conditions: Locations = All except trusted
  • Cloud apps: Azure portal, M365 admin center
  • Grant: Block

Tier 4: Application-Specific Policies

Targeted controls for sensitive apps:

Policy: Require Managed Device for SharePoint

  • Assignments: All users
  • Cloud apps: SharePoint Online
  • Grant: Require compliant OR hybrid Azure AD joined

Design Principles

1. Start Restrictive, Loosen as Needed

It's easier to add exceptions than to tighten existing policies. Start with strong defaults.

2. Use Named Locations

Define your trusted locations (offices, VPN ranges) once, reference everywhere.

3. Test in Report-Only Mode

Every new policy should run in report-only for at least a week. Review the sign-in logs for unexpected blocks.

4. Document Exceptions

Every exception needs justification. "Because it broke something" isn't enough—understand why and whether there's a better solution.

5. Review Quarterly

Policies drift too. People leave, apps get deprecated, requirements change. Review every 90 days.

Common Gotchas

The Lockout

If you require MFA for admins and your MFA provider has an outage, you're locked out. Solution: Emergency access accounts with exclusions.

The Mobile Break

Requiring compliant devices sounds great until you realize half your users access email from personal phones. Solution: App protection policies instead of device requirements for mobile scenarios.

The Policy Gap

You block legacy auth but miss the Exchange Online protocol. Solution: Test policies against all authentication flows.

How TrueConfig Helps

We evaluate your Conditional Access policies against best practices:

  • CA-01: MFA enforcement coverage
  • CA-02: Legacy authentication blocking
  • CA-03: Risk-based policy implementation
  • CA-04: Admin access restrictions

When policies drift or get disabled, we alert you. When gaps exist, we show you exactly what to fix.

Next Steps

  1. Audit your current policies against this framework
  2. Identify gaps (we can help)
  3. Implement missing policies in report-only mode
  4. Review logs, adjust exclusions
  5. Enable enforcement
  6. Set up monitoring for drift

Avoiding the Lockout

Remember the admin lockout story from the beginning? Here's how to prevent it:

  1. Always exclude emergency access accounts from every policy
  2. Test in report-only mode for at least a week before enforcement
  3. Have a documented recovery plan before you need it
  4. Monitor for policy changes so you know when someone modifies your carefully designed policies

Security isn't a project; it's a process. Conditional Access gives you the tools. A systematic framework ensures you use them well.

TrueConfig monitors your Conditional Access policies for drift and gaps. When policies get disabled or modified, you will know within hours. See how it works

Conditional Access
Zero Trust
Entra ID
policy design
Microsoft 365

Related Articles

Security

Microsoft 365 Security Defaults Are Not Enough: 5 Gaps Putting Your Tenant at Risk

Security Defaults block common attacks, but they leave critical gaps in privileged access, guest controls, and policy granularity. Here are the five areas where you need to go beyond the basics.

8 min read
Security

Stop Chasing Alerts: How Desired State Configuration Transforms M365 Security

IT teams waste 15+ hours weekly on compliance reports that never fix the root cause. Desired State Configuration flips the model: define your security baseline once, and let automation maintain it.

8 min read
Security

Microsoft Entra ID Privileged Role Drift: The Silent Risk in Your Tenant

That "temporary" Global Admin from six months ago still has access. Here is how privileged role drift happens in every organization, why it creates serious security and compliance risk, and how to catch it before auditors do.

9 min read