This chapter covers Conditional Access Policy Design, a critical component of Identity Governance in Microsoft Entra ID (formerly Azure AD). On the AZ-305 exam, this topic appears in roughly 15-20% of questions related to identity and access management, often as part of scenario-based design decisions. Mastering CA is essential for designing secure, least-privilege access for hybrid and cloud-native environments. We'll explore the core components, policy structure, design patterns, and exam-specific traps.
Jump to a section
Think of Conditional Access (CA) as an airport's security checkpoint system. The airport has a single entrance (like Azure AD), but not everyone who enters gets the same treatment. Passengers (users) present their boarding pass and ID (primary authentication). The security system then checks multiple conditions: Is the passenger on a watchlist (user risk)? Is their flight domestic or international (location)? Is it a last-minute booking (sign-in risk)? What type of device are they carrying (device compliance)? Based on these conditions, the system enforces different actions: a domestic passenger might only need a quick ID check (require MFA), while an international passenger must go through additional screening (require compliant device and MFA). If a passenger appears on a watchlist (high risk), they are pulled aside for secondary screening (block access or require password change). The system logs every check and action (Azure AD logs). Just like an airport can dynamically adjust security based on threat level (emergency mode), CA policies can be toggled on/off or set to report-only. The key mechanism is that conditions are evaluated before granting access, not after.
What is Conditional Access and Why Does It Exist?
Conditional Access (CA) is the policy engine in Microsoft Entra ID that brings together signals from various sources to make access decisions. It is not an authentication mechanism itself; rather, it is a conditional gatekeeper that runs after primary authentication (user/password or other) but before access is granted to a resource. The purpose is to enforce granular, risk-based access controls that go beyond static rules like "require MFA for all users." CA enables organizations to protect resources based on conditions such as user identity, location, device state, application sensitivity, and real-time risk.
How Conditional Access Works Internally
When a user attempts to access an application that is configured to use Azure AD for authentication, the following sequence occurs:
Primary Authentication: The user provides credentials and authenticates to Azure AD. This step must succeed; CA does not replace authentication.
Policy Evaluation: Azure AD evaluates all CA policies that apply to the user, the application, and the conditions. Policies are evaluated in order of priority (the highest priority policy is applied first, but technically all policies are evaluated, and the most restrictive combination is enforced).
Grant Controls: Based on the evaluation, Azure AD determines what additional controls must be satisfied (e.g., MFA, device compliance, terms of use).
Session Controls: After grant controls, session controls can limit the user's session (e.g., app enforced restrictions, token lifetime).
Access Decision: If all conditions and controls are met, the user gets a token and accesses the resource. If not, access is blocked or a challenge is issued.
Key internal details: CA policies are stored in the Azure AD tenant as JSON objects. They are evaluated on every authentication request, including token refresh requests (if the session is within the token lifetime). The evaluation is performed by the Azure AD Security Token Service (STS).
Key Components of a Conditional Access Policy
A CA policy consists of:
Name: A descriptive name.
Assignments: Who (users/groups), what (cloud apps/actions), and conditions (sign-in risk, device platforms, locations, client apps, filter for devices).
Access Controls: Grant (block access, grant access with requirements like MFA, compliant device, hybrid Azure AD joined device, approved client app, app protection policy, password change) and Session (use app enforced restrictions, use Conditional Access App Control, sign-in frequency, persistent browser session).
Enable policy: On, Off, or Report-only.
#### Assignments in Detail
Users and groups: All users, specific users/groups, or exclude certain users (e.g., emergency break-glass accounts). Exclusions take precedence over inclusions.
Cloud apps or actions: All cloud apps, select apps, or user actions (like Register security info). Common exam trap: you cannot target on-premises apps directly unless they are published via Azure AD Application Proxy.
Conditions: - Sign-in risk: Low, Medium, High (requires Azure AD Premium P2). Risk is calculated by Azure AD Identity Protection. - Device platforms: Android, iOS, Windows, macOS, Linux (only for device-based conditions). - Locations: Named locations (IP ranges, countries) or trusted/untrusted locations. Trusted locations are typically corporate networks. - Client apps: Browser, Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients. - Filter for devices: Use device attributes (e.g., device model, operating system version) with rules.
Access Controls
Grant: - Block access: Overrides all other controls. - Grant access: Requires one or more of: Require MFA, Require device to be marked as compliant, Require Hybrid Azure AD joined device, Require approved client app, Require app protection policy, Require password change. You can choose to require all selected controls (AND) or one of the selected controls (OR).
Session: - Use app enforced restrictions: For Exchange Online and SharePoint Online, this lets the app enforce its own restrictions (e.g., download limits). - Use Conditional Access App Control: Routes traffic through Microsoft Defender for Cloud Apps for session-level monitoring and control. - Sign-in frequency: Controls how often the user must re-authenticate. Values: every 1-14 days (for persistence) or every 1-24 hours (for session). Default for Azure AD is 90 days for refresh tokens. - Persistent browser session: Allows users to stay signed in even after closing the browser. Default is off for most tenants.
Configuration and Verification
CA policies are configured in the Azure portal under Azure Active Directory > Security > Conditional Access. They can also be managed via Microsoft Graph API (beta endpoint).
Example PowerShell using Microsoft Graph:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Require MFA for all users"
state = "enabled"
conditions = @{
userRiskLevels = @()
signInRiskLevels = @()
clientAppTypes = @("all")
platforms = @{
includePlatforms = @("all")
excludePlatforms = @()
}
locations = @{
includeLocations = @("All")
excludeLocations = @()
}
applications = @{
includeApplications = @("All")
excludeApplications = @()
}
users = @{
includeUsers = @("All")
excludeUsers = @()
}
}
grantControls = @{
operator = "OR"
builtInControls = @("mfa")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsVerification: Use the What If tool in the CA portal to simulate access requests. Also, check Azure AD sign-in logs for policy evaluation details.
How CA Interacts with Related Technologies
Azure AD Identity Protection: Provides risk signals (user risk, sign-in risk) that can be used as conditions in CA policies.
Microsoft Intune: Device compliance policies (e.g., require encryption, jailbreak detection) feed into device compliance status, which CA can require.
Microsoft Defender for Cloud Apps: Session controls (Conditional Access App Control) allow real-time monitoring and control of app sessions.
Azure AD Privileged Identity Management (PIM): CA can be used to enforce MFA for privileged role activation.
Common Defaults and Timers
Sign-in frequency default: 90 days for refresh tokens, but CA can override to 1-24 hours or 1-14 days.
Session token lifetime: Default is 1 hour for access tokens, 24 hours for session tokens (varies by app).
Policy evaluation timeout: CA policies are evaluated synchronously; there is no specific timeout, but the entire authentication process should complete within seconds.
Exam-Specific Details
Report-only mode: Allows testing policies without impacting users. Logs results to sign-in logs and workbooks.
Emergency access accounts: Should be excluded from all CA policies. Typically two break-glass accounts with long, complex passwords.
Policy priority: Policies are evaluated in order of their creation (oldest first) but the most restrictive combination is applied. However, if a policy explicitly blocks access, that takes precedence.
Device compliance vs. Hybrid Azure AD join: Device compliance requires Intune enrollment; Hybrid Azure AD join is for domain-joined devices. Both can be used in CA.
Trap Patterns
Common wrong answer: "Conditional Access can block authentication before primary authentication." Reality: Primary authentication always occurs first.
Common wrong answer: "CA policies are evaluated only once per session." Reality: They are evaluated on every token request, including refresh, unless the session is persistent.
Common wrong answer: "You can use CA to enforce MFA for on-premises apps directly." Reality: On-premises apps need to be published via Azure AD Application Proxy to be targeted.
Common wrong answer: "All conditions are optional." Reality: At minimum, you must select users and cloud apps (or actions).
Define Policy Objectives
Start by identifying the business and security requirements. For example, require MFA for all external access, block legacy authentication, or require compliant devices for sensitive apps. Document the conditions (who, what, where, when) and the desired grant/session controls. This step ensures alignment with Zero Trust principles. Avoid creating overly broad or conflicting policies.
Configure Assignments
In the Azure portal, navigate to Conditional Access > New policy. Under Assignments, select Users and groups: choose all users or specific groups, and exclude emergency access accounts. Under Cloud apps or actions: select target applications (e.g., Office 365, custom apps) or user actions like 'Register security info'. Under Conditions: configure sign-in risk, device platforms, locations, client apps, and filter for devices as needed. Each condition is optional.
Set Access Controls
Under Access controls > Grant, choose either Block access or Grant access. If Grant access, select the required controls: MFA, device compliance, Hybrid Azure AD join, approved client app, app protection policy, or password change. Use the AND/OR operator to combine them. Under Session, configure sign-in frequency, persistent browser session, or app controls. These controls are enforced after successful primary authentication.
Test with Report-Only Mode
Before enabling the policy, set it to Report-only mode. This allows the policy to be evaluated but not enforced. The results appear in the Azure AD sign-in logs and the Conditional Access insights workbook. Use the What If tool to simulate specific scenarios. Verify that the policy behaves as expected (e.g., MFA is triggered for the right users). This step prevents accidental lockouts.
Enable and Monitor
Once testing is complete, change the policy state to On. Monitor sign-in logs for policy evaluation results. Pay attention to failed authentications due to policy. Use the Conditional Access insights workbook to track policy impact. Adjust policies as needed based on user feedback and security incidents. Regularly review policies to ensure they remain effective and aligned with organizational changes.
Scenario 1: Require MFA for All External Users
A multinational corporation wants to require MFA for all users accessing Office 365 from outside the corporate network. They create a CA policy targeting all users, all cloud apps, and exclude trusted locations (their on-premises IP ranges). The grant control is 'Require MFA'. In production, this works well but causes friction for users who frequently travel. They mitigate by using sign-in frequency of 7 days to reduce MFA prompts. A common misconfiguration is forgetting to exclude emergency access accounts, which can lock out admins. Performance is not an issue; MFA is handled by Azure AD, and policy evaluation is fast.
Scenario 2: Block Legacy Authentication
A healthcare organization must block legacy authentication protocols (POP, IMAP, SMTP) to prevent credential stuffing attacks. They create a CA policy targeting all users, all cloud apps, and under Conditions > Client apps, select 'Exchange ActiveSync clients' and 'Other clients'. Grant control is 'Block access'. This effectively blocks all non-modern auth. However, they must ensure that service accounts using legacy protocols are excluded or migrated. A common mistake is blocking 'Other clients' without realizing that some legitimate apps (like older Office versions) use modern auth but are categorized as 'Other clients'. They use report-only mode to identify affected users.
Scenario 3: Require Compliant Devices for Sensitive Apps
A financial services firm wants to ensure that only managed, compliant devices can access their internal CRM app. They create a CA policy targeting the CRM app, all users, and require device compliance. Devices must be enrolled in Intune and comply with policies (e.g., encryption, antivirus). In production, this requires that all users have Intune licenses and devices are enrolled. A common issue is that personal devices (BYOD) may not be enrolled, blocking access. They create a separate policy for BYOD that requires MFA and app protection policy instead. They also configure session controls to limit download of sensitive data. This scenario tests the candidate's understanding of device-based conditions and the interplay between Intune and CA.
The AZ-305 exam tests Conditional Access design primarily under objective 1.1: Identity Governance. Look for questions that ask you to recommend a CA policy to meet security requirements while minimizing user friction. Key areas:
Policy components: Be able to identify correct assignments and controls for a given scenario. For example, 'You need to require MFA for all users accessing SharePoint Online from untrusted networks. What should you configure?' Answer: A CA policy with users=All users, cloud apps=SharePoint Online, conditions=locations (untrusted), grant=require MFA.
2. Common wrong answers: - 'Enable MFA in Azure AD per-user MFA' – This is a static setting, not CA. CA is more granular. - 'Use Azure AD Identity Protection to block sign-ins' – Identity Protection provides risk signals but does not enforce policies; CA does. - 'Require Hybrid Azure AD join for all users' – This is for device-based control, not for MFA. - 'Set a CA policy to block legacy authentication for all users' – This is correct but only if the scenario mentions legacy protocols.
Exam-specific numbers/values:
Sign-in frequency: every 1-24 hours or 1-14 days.
Default session token lifetime: 90 days for refresh tokens.
Number of named locations: up to 195 (IP ranges) and 195 (countries).
Policy evaluation: all applicable policies are evaluated, and the most restrictive combination is enforced.
Edge cases:
Report-only mode: Know that it logs results but does not enforce.
Emergency access accounts: Must be excluded from all CA policies.
Device compliance vs. Hybrid Azure AD join: Device compliance requires Intune; Hybrid Azure AD join requires domain join.
Client apps: 'Other clients' includes clients using legacy auth and modern auth that are not browsers or mobile apps.
How to eliminate wrong answers:
If the answer mentions 'per-user MFA' or 'Azure AD Identity Protection' as the policy itself, it's wrong. CA is the policy engine.
If the answer says 'block access without any grant controls', that's valid but only if the scenario requires blocking.
If the answer includes 'require MFA and device compliance' with AND operator, ensure the scenario requires both. Often, OR is acceptable.
If the answer suggests targeting on-premises apps directly, it's wrong unless they are published via App Proxy.
Conditional Access policies are evaluated after primary authentication and before access to the resource.
All applicable policies are evaluated; the most restrictive combination of grant controls is enforced.
Block access overrides all grant controls.
Emergency access accounts must be excluded from all CA policies (at least two break-glass accounts).
Report-only mode logs policy results but does not enforce; use for testing.
Sign-in frequency can be set from 1-24 hours or 1-14 days; default refresh token lifetime is 90 days.
CA cannot target on-premises apps directly unless published via Azure AD Application Proxy.
Legacy authentication can be blocked by targeting 'Exchange ActiveSync clients' and 'Other clients' in conditions.
Device compliance requires Intune enrollment; Hybrid Azure AD join requires domain join.
Named locations support up to 195 IP ranges and 195 countries per tenant.
These come up on the exam all the time. Here's how to tell them apart.
Per-User MFA
Enabled per user account in Azure AD
Always prompts for MFA regardless of context
Cannot exclude based on location or device
No support for session controls
Simpler but less flexible
Conditional Access MFA
Configured via policies in Conditional Access
Can conditionally prompt based on risk, location, device, app
Supports exclusions (e.g., trusted locations)
Supports session controls like sign-in frequency
Granular and scalable
Device Compliance (Intune)
Requires Intune enrollment
Can include personal devices (BYOD)
Checks compliance policies (encryption, jailbreak)
Evaluated during CA policy evaluation
More flexible for non-domain devices
Hybrid Azure AD Join
Requires domain join + Azure AD connect
Only for corporate devices
Signals that device is managed by domain
Also evaluated during CA policy evaluation
Suitable for fully managed enterprise devices
Mistake
Conditional Access policies are evaluated before primary authentication.
Correct
Primary authentication always completes first. CA evaluates after the user is authenticated but before access is granted to the resource.
Mistake
All CA policies are evaluated and the first policy that applies is enforced.
Correct
All applicable policies are evaluated, and the most restrictive combination of grant controls is enforced. However, if any policy blocks access, the result is block.
Mistake
You can use CA to require MFA for on-premises applications directly.
Correct
CA can only target cloud apps or apps published via Azure AD Application Proxy. On-premises apps without App Proxy cannot be directly targeted.
Mistake
Report-only mode prevents the policy from being evaluated.
Correct
Report-only mode evaluates the policy and logs the result, but does not enforce it. It's used for testing.
Mistake
CA policies apply to all authentication requests, including service-to-service.
Correct
CA applies to user sign-ins, not to service-to-service authentication (e.g., daemon apps using client credentials).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Identity Protection detects risks (e.g., leaked credentials, anonymous IP) and assigns risk levels. Conditional Access uses those risk levels as conditions in policies to enforce actions like MFA or block. Identity Protection does not enforce policies; CA does.
Yes. In the CA policy, under Cloud apps or actions, select the specific applications (e.g., SharePoint Online, custom enterprise app). You can also target 'All cloud apps' and then exclude specific ones.
Set the policy to Report-only mode. It will evaluate and log results but not enforce. Use the What If tool to simulate specific users and conditions. Check sign-in logs for policy evaluation details.
All applicable policies are evaluated. The most restrictive combination of grant controls is enforced. For example, if one policy requires MFA and another requires a compliant device, the user must satisfy both (AND). If any policy blocks access, the result is block.
Yes. Create a CA policy targeting all users and all cloud apps. Under Conditions > Client apps, select 'Exchange ActiveSync clients' and 'Other clients' (which includes legacy protocols). Set Grant to Block access. This will block legacy authentication attempts.
Basic CA features (e.g., MFA based on location) require P1. Risk-based conditions (sign-in risk, user risk) require P2. Session controls like Conditional Access App Control require additional licensing (Microsoft Defender for Cloud Apps).
In each CA policy, under Users and groups, include the users you want to target and then exclude the emergency access accounts (typically two break-glass accounts). It's a best practice to have a separate policy that explicitly excludes them from all policies.
You've just covered Conditional Access Policy Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?