
A Conditional Access Decision Matrix is one of the most valuable Operational and Security References in Microsoft Entra ID because it helps Administrators quickly determine:
- Who is Affected
- What Conditions are Evaluated
- Which Controls are Enforced
- Which Authentication Methods are Allowed
- Which Sessions are Restricted
- What Exceptions Exist
- Why Access Was Granted or Blocked
This Becomes Critical in:
- Zero Trust Deployments
- MFA Rollouts
- Compliance Enforcement
- Hybrid Environments
- BYOD Management
- Privileged Access Protection
- Incident Response
- Troubleshooting Sign-In Failures
Core Conditional Access Evaluation Flow
Conditional Access evaluates access in this general order:
1. User or Workload Identity
2. Cloud App or Action
3. Conditions
4. Grant Controls
5. Session Controls
6. Final Access Decision
The final result is:
- Allow
- Allow with Controls
- Block
High-Value Conditional Access Decision Matrix
|
Scenario |
User Type |
Device State |
Location |
Risk Level |
App |
Grant Control |
Session Control |
Result |
|
Standard employee accessing M365 from corporate laptop |
Internal User |
Compliant |
Trusted |
Low |
Microsoft 365 |
Require MFA |
None |
Allow |
|
Employee accessing M365 from personal device |
Internal User |
Non-compliant |
Trusted |
Low |
Microsoft 365 |
Require MFA + App Protection |
Limited session |
Allow with restrictions |
|
Admin accessing Azure Portal |
Privileged Admin |
Compliant |
Trusted |
Low |
Azure Management |
Require phishing-resistant MFA |
Sign-in frequency |
Allow |
|
Admin accessing from unmanaged device |
Privileged Admin |
Non-compliant |
Trusted |
Low |
Azure Management |
Block |
N/A |
Block |
|
User connecting from foreign country |
Internal User |
Any |
Untrusted |
Medium |
Any |
Require MFA |
Monitor session |
Allow with controls |
|
High-risk sign-in detected |
Any |
Any |
Any |
High |
Any |
Block |
N/A |
Block |
|
Guest user accessing Teams |
Guest |
Unknown |
Any |
Low |
Teams |
Require MFA |
Terms of use |
Allow |
|
Service account legacy authentication |
Service Account |
N/A |
Any |
N/A |
Exchange Online |
Block legacy auth |
N/A |
Block |
|
User using unsupported authentication protocol |
Any |
Any |
Any |
N/A |
Exchange Online |
Block |
N/A |
Block |
|
Contractor accessing SharePoint |
Guest/Contractor |
Non-compliant |
Any |
Low |
SharePoint |
Require MFA |
Restrict download |
Allow limited |
|
User accessing HR application |
Internal User |
Compliant |
Trusted |
Low |
HR App |
Require MFA |
Idle timeout |
Allow |
|
User with impossible travel risk |
Any |
Any |
Any |
High |
Any |
Password reset + MFA |
N/A |
Block until remediated |
Most Important Conditional Access Conditions
User or Group
Common Targets:
- All Users
- Administrators
- Guests
- Contractors
- Break-Glass Exclusions
- Service Accounts
Best Practice:
Never Apply Policies directly to Individual Users unless Temporary.
Cloud Apps
Most Commonly Protected:
- Microsoft 365
- Azure Management
- Exchange Online
- SharePoint Online
- Teams
- Salesforce
- ServiceNow
- Custom Enterprise Apps
Device State
Most Common Device Conditions:
- Compliant
- Hybrid Joined
- Entra Joined
- Registered
- Unknown
- Unmanaged
Most secure combination:
- Require Compliant Device
- Require Phishing-Resistant MFA
Locations
Trusted:
- Corporate Offices
- VPN Egress IPs
- Approved Countries
Untrusted:
- TOR
- Anonymous IP
- Foreign Countries
- High-Risk Locations
Common Control:
- Block High-Risk Countries
- Require MFA Outside Trusted Locations
Sign-In Risk
Risk Engine Evaluates:
- Impossible Travel
- Anonymous IP
- Malware-Linked IP
- Password Spray
- Token Replay
- Suspicious Behavior
Typical Policy:
|
Risk Level |
Action |
|
Low |
Allow |
|
Medium |
Require MFA |
|
High |
Block |
User Risk
User Risk Evaluates Compromised Accounts Over Time.
Typical Response:
|
User Risk |
Action |
|
Low |
Allow |
|
Medium |
Password Reset |
|
High |
Block Access |
Grant Controls Matrix
|
Grant Control |
Purpose |
Typical Use |
|
Require MFA |
Additional authentication |
Standard security baseline |
|
Require compliant device |
Managed endpoint enforcement |
Corporate devices |
|
Require Hybrid Joined device |
Domain-integrated systems |
Hybrid enterprises |
|
Require approved app |
Mobile app governance |
BYOD |
|
Require app protection policy |
MAM enforcement |
Personal mobile devices |
|
Require password change |
Compromised accounts |
User risk remediation |
|
Block access |
Full deny |
High-risk scenarios |
|
Require authentication strength |
Strong MFA methods |
Privileged access |
Authentication Strength Matrix
|
Authentication Method |
Security Level |
Recommended Usage |
|
SMS MFA |
Weak |
Temporary only |
|
Voice Call |
Weak |
Avoid if possible |
|
Microsoft Authenticator Push |
Medium |
Standard users |
|
Number Matching |
Strong |
Recommended baseline |
|
FIDO2 Security Key |
Very Strong |
Administrators |
|
Certificate-based Auth |
Very Strong |
High-security orgs |
|
Windows Hello for Business |
Very Strong |
Enterprise devices |
|
Passkeys |
Very Strong |
Future-ready deployments |
Session Controls Matrix
|
Session Control |
Purpose |
|
Sign-In Frequency |
Force Periodic Reauthentication |
|
Persistent Browser Session |
Prevent Token Persistence |
|
App-Enforced Restrictions |
Browser-Only Restrictions |
|
Continuous Access Evaluation |
Real-Time Token Revocation |
|
Defender Session Control |
Risk-Based Live Session Monitoring |
Most Common Enterprise Policies
Security Baseline Policy
|
Setting |
Value |
|
Users |
All Users |
|
Exclusions |
Break-Glass Accounts |
|
Apps |
All Cloud Apps |
|
Grant |
Require MFA |
|
Result |
Secure Baseline |
Privileged Access Policy
|
Setting |
Value |
|
Users |
Admin Roles |
|
Device |
Compliant |
|
Grant |
Phishing-Resistant MFA |
|
Session |
4-Hour Sign-In Frequency |
|
Result |
Hardened Admin Access |
Legacy Authentication Block Policy
|
Setting |
Value |
|
Client Apps |
Legacy Authentication |
|
Grant |
Block |
|
Result |
Prevent Protocol Abuse |
Guest Access Policy
|
Setting |
Value |
|
Users |
Guests |
|
Apps |
M365 |
|
Grant |
MFA |
|
Session |
Restrict Downloads |
|
Result |
Controlled Collaboration |
Common Conditional Access Failure Scenarios
|
Issue |
Cause |
|
MFA Loop |
Multiple Overlapping Policies |
|
Unexpected Block |
Hidden Inherited Condition |
|
Admin Lockout |
No Exclusion Account |
|
Mobile App Failure |
Unsupported Modern Auth |
|
Sharepoint Restriction Issue |
Session Control Conflict |
|
Guest Blocked |
External ID Trust Issue |
|
PIM Activation Fails |
Authentication Strength Mismatch |
|
VPN Users Blocked |
Trusted Location Missing |
Best Practices
1. Always Maintain Emergency Break-Glass Accounts
2. Exclude Break-Glass Accounts From All CA Policies
3. Use Report-Only Mode Before Enforcement
4. Start with MFA Policies First
5. Block Legacy Authentication Globally
6. Protect Privileged Roles Separately
7. Use Authentication Strengths Instead of Generic MFA
8. Require Compliant Devices for Administrators
9. Use Named Locations Carefully
10. Test Policies with Pilot Groups First
11. Monitor Sign-In Logs Continuously
12. Use Conditional Access Insights and Reporting
13. Document Policy Precedence and Overlaps
14. Avoid Excessive Policy Sprawl
15. Use policy Naming Standards
Recommended Enterprise Policy Order
|
Priority |
Policy |
|
1 |
Break-Glass Exclusions |
|
2 |
Legacy Authentication Block |
|
3 |
Admin MFA Enforcement |
|
4 |
Global MFA |
|
5 |
Device Compliance |
|
6 |
Guest Restrictions |
|
7 |
Risk-Based Policies |
|
8 |
Session Restrictions |
Most Valuable Real-World Conditional Access References
Administrators Constantly Reference:
- Authentication Strengths
- Device States
- Risk Levels
- Grant Controls
- Policy Precedence
- Named Locations
- Session Restrictions
- Sign-in logs
- Exclusions
- Hybrid Join Behavior
These become Daily Operational References in nearly every Enterprise using Microsoft Entra ID.
0 comments