Common Conditional Access policies

Is this page helpful?

Any additional feedback?

Feedback will be sent to Microsoft: by pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Security defaults are great for some but many organizations need more flexibility than they offer. Many organizations need to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies. The policies referenced in this article can be customized based on organizational needs. Organizations can use report-only mode for Conditional Access to determine the results of new policy decisions.

Conditional Access templates (Preview)

Conditional Access templates are designed to provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.

The 14 policy templates are split into policies that would be assigned to user identities or devices. Find the templates in the Azure portal > Azure Active Directory > Security > Conditional Access > Create new policy from template.

Important

Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to exclude other accounts open the policy and modify the excluded users and groups to include them.

By default, each policy is created in report-only mode, we recommended organizations test and monitor usage, to ensure intended result, before turning each policy on.

• Identities
  • Require multi-factor authentication for admins*
  • Securing security info registration
  • Block legacy authentication*
  • Require multi-factor authentication for all users*
  • Require multi-factor authentication for guest access
  • Require multi-factor authentication for Azure management*
  • Require multi-factor authentication for risky sign-in Requires Azure AD Premium P2
  • Require password change for high-risk users Requires Azure AD Premium P2
• Devices
  • Require compliant or Hybrid Azure AD joined device for admins
  • Block access for unknown or unsupported device platform
  • No persistent browser session
  • Require approved client apps or app protection
  • Require compliant or Hybrid Azure AD joined device or multi-factor authentication for all users
  • Use application enforced restrictions for unmanaged devices

* These four policies when configured together, provide similar functionality enabled by security defaults.

Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from View policy summary or use the linked articles to create policies themselves.

Other policies

• Block access by location
• Block access except specific apps

Emergency access accounts

More information about emergency access accounts and why they're important can be found in the following articles:

• Manage emergency access accounts in Azure AD
• Create a resilient access control management strategy with Azure Active Directory

Next steps

• Simulate sign in behavior using the Conditional Access What If tool.

• Use report-only mode for Conditional Access to determine the results of new policy decisions.