CA-01CriticalRecommended Secure

Require MFA via Conditional Access Policy

Conditional Access control for Microsoft 365 and Entra ID

Why This Control Matters

Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.

Expected State

When this control is compliant, your tenant should meet these criteria:

1At least one Conditional Access policy requires MFA for all users
2Policy applies to all cloud applications
3Emergency access accounts are excluded
4Policy state is Enabled (not Report-only)

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Creates a Conditional Access policy requiring MFA for all users

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.