Conditional Access
Access policies and conditional requirements
Require MFA via Conditional Access Policy
Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.
Require MFA for All Administrators
Administrator accounts are prime targets for attackers. Even if MFA is required for all users, a dedicated policy for admins ensures they cannot bypass MFA under any condition and provides visibility into admin authentication.
Block Access from High-Risk Countries
Blocking access from high-risk countries reduces geopolitical risk and helps comply with export control regulations (ITAR, EAR). While VPNs can bypass this control, it stops opportunistic attacks and reduces your attack surface from nation-state threat actors.
Enforce Session Lifetime Limits for Guests and Admins
Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.
Require Compliant Devices for Admin Access
A compromised or unmanaged device can have keyloggers, malware, or screen capture tools. Requiring managed, compliant devices for admin access ensures that privileged actions occur from endpoints you control and monitor.
Block or Require MFA for Risky Sign-Ins
Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.
Remediate High-Risk Users Automatically
When Microsoft detects that a user's credentials have been leaked (dark web, breach databases), the user risk policy forces a password change before the attacker can use those credentials.
Enable Token Protection
Stolen tokens can be replayed from any device or location. Token protection binds tokens to specific devices, making stolen tokens useless. This is the primary defense against token theft attacks.
Require Compliant Devices for Global Admins
Admin credentials on non-compliant devices are at high risk. Keyloggers, malware, and credential theft are common on unmanaged devices. Requiring compliance ensures admin actions occur from secured endpoints.
Require App Protection for Mobile Access
Mobile devices accessing corporate data should use apps with protection policies. This prevents data leakage through unmanaged apps and ensures corporate data remains protected on personal devices.
Zero Trust Network Access
Full Zero Trust: never trust, always verify. Every access request is validated against device health, user risk, and location. This ensures compromised devices and credentials cannot access resources.
Restrict Admin Access to Privileged Access Workstations
Privileged Access Workstations (PAWs) are hardened devices dedicated to admin tasks. By restricting admin portals to PAWs, you prevent credential theft from compromised daily-use devices.