Conditional Access Decision Matrix for Microsoft Entra ID


A Conditional Access Decision Matrix is one of the most valuable Operational and Security References in Microsoft Entra ID because it helps Administrators quickly determine:

  • Who is Affected
  • What Conditions are Evaluated
  • Which Controls are Enforced
  • Which Authentication Methods are Allowed
  • Which Sessions are Restricted
  • What Exceptions Exist
  • Why Access Was Granted or Blocked

This Becomes Critical in:

  • Zero Trust Deployments
  • MFA Rollouts
  • Compliance Enforcement
  • Hybrid Environments
  • BYOD Management
  • Privileged Access Protection
  • Incident Response
  • Troubleshooting Sign-In Failures

Core Conditional Access Evaluation Flow

Conditional Access evaluates access in this general order:

1.     User or Workload Identity

2.     Cloud App or Action

3.     Conditions

4.     Grant Controls

5.     Session Controls

6.     Final Access Decision

The final result is:

  • Allow
  • Allow with Controls
  • Block

High-Value Conditional Access Decision Matrix

Scenario

User Type

Device State

Location

Risk Level

App

Grant Control

Session Control

Result

Standard employee accessing M365 from corporate laptop

Internal User

Compliant

Trusted

Low

Microsoft 365

Require MFA

None

Allow

Employee accessing M365 from personal device

Internal User

Non-compliant

Trusted

Low

Microsoft 365

Require MFA + App Protection

Limited session

Allow with restrictions

Admin accessing Azure Portal

Privileged Admin

Compliant

Trusted

Low

Azure Management

Require phishing-resistant MFA

Sign-in frequency

Allow

Admin accessing from unmanaged device

Privileged Admin

Non-compliant

Trusted

Low

Azure Management

Block

N/A

Block

User connecting from foreign country

Internal User

Any

Untrusted

Medium

Any

Require MFA

Monitor session

Allow with controls

High-risk sign-in detected

Any

Any

Any

High

Any

Block

N/A

Block

Guest user accessing Teams

Guest

Unknown

Any

Low

Teams

Require MFA

Terms of use

Allow

Service account legacy authentication

Service Account

N/A

Any

N/A

Exchange Online

Block legacy auth

N/A

Block

User using unsupported authentication protocol

Any

Any

Any

N/A

Exchange Online

Block

N/A

Block

Contractor accessing SharePoint

Guest/Contractor

Non-compliant

Any

Low

SharePoint

Require MFA

Restrict download

Allow limited

User accessing HR application

Internal User

Compliant

Trusted

Low

HR App

Require MFA

Idle timeout

Allow

User with impossible travel risk

Any

Any

Any

High

Any

Password reset + MFA

N/A

Block until remediated

Most Important Conditional Access Conditions

User or Group

Common Targets:

  • All Users
  • Administrators
  • Guests
  • Contractors
  • Break-Glass Exclusions
  • Service Accounts

Best Practice:
Never Apply Policies directly to Individual Users unless Temporary.

Cloud Apps

Most Commonly Protected:

  • Microsoft 365
  • Azure Management
  • Exchange Online
  • SharePoint Online
  • Teams
  • Salesforce
  • ServiceNow
  • Custom Enterprise Apps

Device State

Most Common Device Conditions:

  • Compliant
  • Hybrid Joined
  • Entra Joined
  • Registered
  • Unknown
  • Unmanaged

Most secure combination:

  • Require Compliant Device
  • Require Phishing-Resistant MFA

Locations

Trusted:

  • Corporate Offices
  • VPN Egress IPs
  • Approved Countries

Untrusted:

  • TOR
  • Anonymous IP
  • Foreign Countries
  • High-Risk Locations

Common Control:

  • Block High-Risk Countries
  • Require MFA Outside Trusted Locations

Sign-In Risk

Risk Engine Evaluates:

  • Impossible Travel
  • Anonymous IP
  • Malware-Linked IP
  • Password Spray
  • Token Replay
  • Suspicious Behavior

Typical Policy:

Risk Level

Action

Low

Allow

Medium

Require MFA

High

Block

User Risk

User Risk Evaluates Compromised Accounts Over Time.

Typical Response:

User Risk

Action

Low

Allow

Medium

Password Reset

High

Block Access

Grant Controls Matrix

Grant Control

Purpose

Typical Use

Require MFA

Additional authentication

Standard security baseline

Require compliant device

Managed endpoint enforcement

Corporate devices

Require Hybrid Joined device

Domain-integrated systems

Hybrid enterprises

Require approved app

Mobile app governance

BYOD

Require app protection policy

MAM enforcement

Personal mobile devices

Require password change

Compromised accounts

User risk remediation

Block access

Full deny

High-risk scenarios

Require authentication strength

Strong MFA methods

Privileged access

Authentication Strength Matrix

Authentication Method

Security Level

Recommended Usage

SMS MFA

Weak

Temporary only

Voice Call

Weak

Avoid if possible

Microsoft Authenticator Push

Medium

Standard users

Number Matching

Strong

Recommended baseline

FIDO2 Security Key

Very Strong

Administrators

Certificate-based Auth

Very Strong

High-security orgs

Windows Hello for Business

Very Strong

Enterprise devices

Passkeys

Very Strong

Future-ready deployments

Session Controls Matrix

Session Control

Purpose

Sign-In Frequency

Force Periodic Reauthentication

Persistent Browser Session

Prevent Token Persistence

App-Enforced Restrictions

Browser-Only Restrictions

Continuous Access Evaluation

Real-Time Token Revocation

Defender Session Control

Risk-Based Live Session Monitoring

Most Common Enterprise Policies

Security Baseline Policy

Setting

Value

Users

All Users

Exclusions

Break-Glass Accounts

Apps

All Cloud Apps

Grant

Require MFA

Result

Secure Baseline

Privileged Access Policy

Setting

Value

Users

Admin Roles

Device

Compliant

Grant

Phishing-Resistant MFA

Session

4-Hour Sign-In Frequency

Result

Hardened Admin Access

Legacy Authentication Block Policy

Setting

Value

Client Apps

Legacy Authentication

Grant

Block

Result

Prevent Protocol Abuse

Guest Access Policy

Setting

Value

Users

Guests

Apps

M365

Grant

MFA

Session

Restrict Downloads

Result

Controlled Collaboration

Common Conditional Access Failure Scenarios

Issue

Cause

MFA Loop

Multiple Overlapping Policies

Unexpected Block

Hidden Inherited Condition

Admin Lockout

No Exclusion Account

Mobile App Failure

Unsupported Modern Auth

Sharepoint Restriction Issue

Session Control Conflict

Guest Blocked

External ID Trust Issue

PIM Activation Fails

Authentication Strength Mismatch

VPN Users Blocked

Trusted Location Missing

Best Practices

1.     Always Maintain Emergency Break-Glass Accounts

2.     Exclude Break-Glass Accounts From All CA Policies

3.     Use Report-Only Mode Before Enforcement

4.     Start with MFA Policies First

5.     Block Legacy Authentication Globally

6.     Protect Privileged Roles Separately

7.     Use Authentication Strengths Instead of Generic MFA

8.     Require Compliant Devices for Administrators

9.     Use Named Locations Carefully

10.  Test Policies with Pilot Groups First

11.  Monitor Sign-In Logs Continuously

12.  Use Conditional Access Insights and Reporting

13.  Document Policy Precedence and Overlaps

14.  Avoid Excessive Policy Sprawl

15.  Use policy Naming Standards

Recommended Enterprise Policy Order

Priority

Policy

1

Break-Glass Exclusions

2

Legacy Authentication Block

3

Admin MFA Enforcement

4

Global MFA

5

Device Compliance

6

Guest Restrictions

7

Risk-Based Policies

8

Session Restrictions

Most Valuable Real-World Conditional Access References

Administrators Constantly Reference:

  • Authentication Strengths
  • Device States
  • Risk Levels
  • Grant Controls
  • Policy Precedence
  • Named Locations
  • Session Restrictions
  • Sign-in logs
  • Exclusions
  • Hybrid Join Behavior

These become Daily Operational References in nearly every Enterprise using Microsoft Entra ID.

 

0 comments

Leave a comment

Please note, comments need to be approved before they are published.