Common Conditional Access policies
Security defaults are great for some but many organizations need more flexibility than they offer. For example, many need the ability to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies requiring multi-factor authentication. For those organizations, the common policies referenced in this article can be of use.
Emergency access accounts
More information about emergency access accounts and why they are important can be found in the following articles:
- Manage emergency access accounts in Azure AD
- Create a resilient access control management strategy with Azure Active Directory
Typical policies deployed by organizations
- Require MFA for administrators*
- Require MFA for Azure management*
- Require MFA for all users*
- Block legacy authentication*
- Risk-based Conditional Access (Requires Azure AD Premium P2)
- Require trusted location for MFA registration
- Block access by location
- Require compliant device
* These four policies when configured together, would mimic functionality enabled by security defaults.