Things you wish you knew, things you may think you knew, but you did not

May 19, 2026

If you would like to explore this topic in greater depth, see my book Nothing but Microsoft Entra ID: All the Way to Mastery

Seamless SSO

Free SSO: User Signs in to App Once = Basic Convenience.

P1 SSO User Signs into App once, but access also evaluates: Device Compliance, Location, MFA, Session Controls, App Restrictions. Now Identity Becomes a Security Boundary.

P2 SSO User signs into app once, while Microsoft AI evaluates: Impossible travel, Risk, Leaked, credentials, Suspicious Behavior

What P1 Gives You - P1 Gives Strong Deterministic Security Controls:

P1 Capability
MFA
Conditional Access
Device Compliance
App Protection
Trusted Locations
Session Controls
Authentication Strength
Legacy Auth Blocking

This is Policy-Driven Access Control.

What P2 Adds - P2 adds Intelligent Adaptive Security:

P2 Capability
Impossible Travel Detection
Password Spray Detection
Anonymous IP Detection
User Risk Scoring
Sign-In Risk Scoring
Leaked Credential Detection
Risk Remediation
Risk-Based Password Reset
AI Behavioral Analytics
Risk Investigation Tools

With P1, Security Decisions are mostly Binary and Administrator-Defined. IF conditions exist THEN Action

Examples:

Condition	Action
Outside Trusted Location	Require MFA
Non-Compliant Device	Block
Legacy Authentication	Block
Guest User	Restrict Access

This is mostly Static Logic.

With P2

Microsoft adds Machine Learning, Behavioral Analytics, Risk Scoring, and Threat Intelligence.

Now Decisions become Adaptive and Probabilistic.

Instead of: IF country = China THEN Block the Engine Evaluates:

Historical Behavior
Travel Feasibility
Token Behavior
Device Reputation
IP Reputation
User Baseline
Attack Patterns
Threat Intelligence
Session Anomalies

Then Dynamically Determines Risk.

P1 Thinks Like This

Logic Style
Rule-Based
Static
Deterministic
Explicit Conditions
Binary evaluation

P2 Thinks Like This

P1	P2
Policy-Driven Security	Risk-Driven Security
Static Trust Model	Adaptive Trust Model
Explicit Rules	Behavioral Inference
Administrator Logic	AI-Assisted Logic
Known Conditions	Unknown Anomaly Detection

P1: Condition → Policy → Action
P2: Behavior → AI Analysis → Risk → Policy → Action

Conditional Access vs Identity Protection

Enforcement Actions

Incorrectly Mixing:

Conditional Access capabilities and Identity Protection capabilities Licensing Boundaries, especially between Microsoft Entra ID P1 and P2.

Core Difference

Feature Area	Purpose
Conditional Access Policy (CAP)	Access Control and Session Enforcement
Identity Protection Policy (IPP)	Risk Remediation and Compromise Response

Enforcement Action	Conditional Access (P1)	Identity Protection (P2)
Allow Access	Yes	No
Block Access	Yes	Yes
Require MFA	Yes	Yes
Require Authentication Strength	Yes	No
Require Compliant Device	Yes	No
Require Hybrid Joined Device	Yes	No
Require Approved App	Yes	No
Restrict Session	Yes	No
Require Terms of Use	Yes	No
Limit Browser Session	Yes	No
Require App Protection Policy	Yes	No
Require Password Change	No	Yes
Force Secure Password Reset	No	Yes
User Risk Remediation	No	Yes
Sign-in Risk Evaluation	Limited Integration	Yes
User Risk Evaluation	No	Yes
Detect Leaked Credentials	No	Yes
Detect Impossible Travel	No Direct Detection	Yes
Detect Password Spray	No Direct Detection	Yes
Detect Anonymous IP	No Direct Detection	Yes
Detect Malware IP	No Direct Detection	Yes
Detect Token Theft	No Direct Detection	Yes
Risk-Based Automation	Limited	Full
Risk Investigation Reports	No	Yes
Risky User Reports	No	Yes
Risky Sign-in Reports	No	Yes

Licensing Breakdown

Feature	P1	P2
Conditional Access	Yes	Yes
MFA Enforcement	Yes	Yes
Device Compliance Policies	Yes	Yes
Session Controls	Yes	Yes
Identity Protection	No	Yes
User Risk Policies	No	Yes
Sign-in Risk Policies	No	Yes
Risk-Based Password Reset	No	Yes
Risk Detections	No	Yes
Leaked Credential Detection	No	Yes
Impossible Travel Detection	No	Yes

Important Architectural Reality with P1 only:

You can still create very strong security using:

P1 Capabilities
MFA
Device Compliance
Location-Based Policies
Application Restrictions
Session Controls
Authentication Strength
Trusted Locations
Legacy Authentication Blocking

But you do NOT get:

Missing Without P2
AI Risk Detections
Identity Protection
Risk-Based Remediation
User Risk Evaluation
Password Reset Automation
Risk Analytics

Critical Distinction

P1 Conditional Access Logic

IF User Outside Trusted Location, THEN require MFA. This is deterministic Policy Logic.

P2 Identity Protection Logic

IF Microsoft AI Determines Account Compromised THEN Force Password Reset
This is Risk-Adaptive AI-Driven Remediation.
Very Important Real-World Clarification Conditional Access can evaluate:

CAP Evaluates
User
Group
App
Device
Location
Client App
Device Platform
Authentication Strength

Identity Protection Evaluates:

IPP Evaluates
Risk
Behavioral Anomalies
Threat Intelligence
Credential Compromise
Attack Indicators

Common Misunderstanding

Many Admins Think: “Conditional Access does Impossible Travel.”

Technically Incorrect. Correct Statement: “Identity Protection detects impossible travel, and Conditional Access can consume the resulting sign-in risk.” BUT: That requires P2.

Best Enterprise Summary

Technology	Main Role
Conditional Access	Policy Enforcement
Identity Protection	Risk Analytics and Remediation
P1	Deterministic Access Control
P2	AI-Driven Risk-Adaptive Security

Simple Memory Rule

License	Think Of It As
P1	Access Control Engine
P2	Intelligent Risk Engine

Most Important Design Reality
You can build a Highly Secure Environment with only P1.

But without P2:

Microsoft is not Automatically Detecting Compromise Patterns for you
No AI-Driven Risk Remediation Exists
No Automated Password Reset Based on Compromise Exists

That distinction is absolutely critical in Enterprise Security Architecture using Microsoft Entra ID.

Microsoft Entra ID Built-in Conditional Access Policy Names

Built-in Policy Name	Purpose	Typical Configuration
Require MFA for Admins	Protect Privileged Administrator Accounts	Require MFA for All Admin Roles
Block Legacy Authentication	Block Insecure Legacy Authentication Protocols	Block POP, IMAP, SMTP Basic Auth
Require MFA for All Users	Enforce MFA Across the Organization	Require MFA for Cloud Apps
Require Compliant Device	Allow Access only From Compliant Devices	Intune Compliance Enforcement
Require Hybrid Azure AD Joined Device	Restrict Access to Corporate Joined Devices	Hybrid Joined Device Validation
Block Access by Location	Block Access from Risky Countries Or Regions	Geo-Location Restriction
Require MFA Outside Trusted Locations	MFA Required Outside Corporate Network	Named Location Evaluation
Protect Guest User Access	Restrict External User Permissions	MFA and Session Restrictions
Require Approved Client Apps	Allow only Approved Mobile Apps	App Protection Enforcement
Require App Protection Policy	Protect Corporate Data on Mobile Devices	Intune MAM Integration
Require Password Change for High User Risk	Force Secure Password Reset	User Risk Remediation
Block High Sign-in Risk	Prevent Suspicious Sign-Ins	Sign-In Risk Policy
Require MFA for Medium or High Risk	Strong Authentication for Risky Sign-Ins	Risk-Based Conditional Access
Block Unsupported Device Platforms	Restrict Unsupported Operating Systems	Device Platform Filtering
Require Terms of Use Acceptance	Enforce Legal or Compliance Agreement	Terms of Use integration
Protect Azure Management Access	Secure Azure Portal and Management APIs	MFA for Azure Management
Protect Microsoft 365 Access	Secure Exchange, SharePoint, Teams	MFA and Device Compliance
Block Access for Unknown Devices	Restrict Unmanaged Endpoints	Device State Evaluation
Restrict Browser Session	Limit Downloads or Copy/Paste	Defender for Cloud Apps Session Control
Require Authentication Strength	Enforce Phishing-Resistant MFA	FIDO2 or WHfB Required
Protect Workload Identities	Secure Service Principals and Automation	Workload Identity Conditional Access
Session Sign-in Frequency Policy	Force Periodic Reauthentication	Session Lifetime Control
Persistent Browser Session Control	Manage Persistent Browser Sessions	Session Persistence Management
Block TOR and Anonymous IP Access	Restrict Anonymized Network Access	Anonymous IP Detection
Secure Guest Collaboration Access	Control External Collaboration Sessions	Guest Restrictions
Restrict Access to Sensitive Apps	Stronger Protection for Critical Apps	Authentication Context
Require Device Compliance for Exchange Online	Protect Email Access	Exchange Online Policy
Require Device Compliance for SharePoint Online	Protect Document Access	SharePoint/OneDrive Protection
Require MFA for VPN Access	Secure Remote Network Access	VPN Federated Application Security
Require MFA for Remote Desktop Access	Secure RDP Access	Remote Access Application Protection

Microsoft Recommended Conditional Access Templates

Microsoft provides recommended policy templates inside Microsoft Entra ID Conditional Access.

Microsoft Template	Purpose
Secure Foundation: Block Legacy Authentication	Immediate Protection Against Basic Auth
Secure Foundation: Require MFA for Admins	Protect Privileged Accounts
Zero Trust: Require MFA for All Users	Broad Identity Security
Zero Trust: Require Compliant Devices	Device Trust Enforcement
Zero Trust: Protect Guest Access	External Collaboration Security
Zero Trust: Protect Risky Sign-ins	Risk-Based Access Control
Zero Trust: Protect High User Risk	Account Compromise Remediation
Remote Work: Require MFA Off-Network	Remote Workforce Security
Remote Work: App Protection Policies	BYOD Mobile Security
Identity Protection: Sign-in Risk Policy	Dynamic Attack Detection
Identity Protection: User Risk Policy	Account Compromise Protection

Recommended Enterprise Naming Convention

Example Policy Name	Description
CA001 - Require MFA for Global Admins	Admin Protection
CA002 - Block Legacy Authentication	Basic Auth Blocking
CA003 - Require MFA Outside Trusted Locations	External Access Security
CA004 - Require Compliant Devices for M365	Device Trust Policy
CA005 - Block High Risk Sign-ins	Risk Protection
CA006 - Require Password Reset for High User Risk	Compromise Remediation
CA007 - Restrict Guest Access to SharePoint	B2B Collaboration Control
CA008 - Require Phishing Resistant MFA	Strong Authentication
CA009 - Block Access from High Risk Countries	Geo-Blocking
CA010 - Secure Azure Management Access	Azure Administrative Protection

Recommended Policy Categories

Category	Purpose
Identity Protection Policies	Risk-Based Security
Device-Based Policies	Device Trust Enforcement
Application-Based Policies	Per-App Protection
Session Control Policies	Real-Time Session Governance
Location-Based Policies	Geo/IP Restrictions
Administrative Policies	Privileged Account Security
Guest/B2B Policies	External Collaboration Protection
Compliance Policies	Legal And Regulatory Enforcement
Mobile Device Policies	BYOD And Mobile Security
Workload Identity Policies	Service Principal Protection

Example Enterprise Production Policy Set

Policy Name	Target
CA-GlobalAdmins-RequireFIDO2	All admin accounts
CA-AllUsers-BlockLegacyAuth	Entire organization
CA-AllUsers-MFA-OffNetwork	Remote users
CA-GuestUsers-RestrictedAccess	B2B guest users
CA-DeviceCompliance-M365	Microsoft 365 access
CA-HighRiskSignIn-Block	Risky sign-ins
CA-HighUserRisk-PasswordReset	Compromised users
CA-AzurePortal-RequireCompliantDevice	Azure administration
CA-MobileApps-RequireAppProtection	Mobile device security
CA-UnmanagedDevices-WebOnly	Browser-only restricted access

These policies are commonly deployed in environments using Microsoft technologies such as Microsoft Entra ID, Microsoft Intune, and Microsoft Defender for Cloud Apps.

Microsoft Entra ID Conditional Access Policy Signals

Signal / Condition	Description	What It Detects or Evaluates	Common Use Case	Risk Level / Intelligence Source
Impossible Travel	Detects sign-ins from geographically distant locations within an unrealistic timeframe	User appears in two distant locations too quickly	Block or require MFA for suspicious travel activity	Identity Protection risk detection
Atypical Travel	Detects unusual travel patterns compared to normal user behavior	Uncommon sign-in locations or routes	Trigger MFA or block high-risk access	Identity Protection machine learning
Anonymous IP Address	Detects usage of TOR networks, VPN anonymizers, or proxy services	Hidden source IP addresses	Block anonymous sign-ins	Microsoft threat intelligence
Malicious IP Address	Detects IPs associated with botnets, malware, or attacks	Known malicious network activity	Immediate block or password reset	Microsoft threat intelligence
Compromised Credentials	Detects leaked or stolen credentials	Credentials exposed on dark web or breaches	Force password reset and MFA	Microsoft Identity Protection
Password Spray Attack	Detects repeated password attempts against multiple accounts	Brute-force style password spray attacks	Block sign-in or trigger account protection	Identity Protection
Malware Linked IP	Detects IP addresses tied to malware infections	Infected endpoint activity	Restrict access from infected systems	Threat intelligence
Suspicious Browser Activity	Detects suspicious browser characteristics or behavior	Token theft or malicious automation	Require MFA or block access	Behavioral analytics
Unfamiliar Sign-in Properties	Detects sign-ins using unusual devices, browsers, or locations	New or abnormal login patterns	MFA challenge	Identity Protection
Sign-in Risk	Measures probability that a sign-in is not legitimate	Real-time suspicious authentication activity	Conditional MFA or block	Identity Protection
User Risk	Measures likelihood that a user account is compromised	Long-term account compromise indicators	Password reset enforcement	Identity Protection
Device Platform	Evaluates operating system type	Windows, macOS, Linux, iOS, Android	Apply platform-specific access rules	Device signal
Device State	Checks whether device is compliant or hybrid joined	Managed vs unmanaged devices	Restrict corporate app access	Intune / Entra integration
Compliance Status	Verifies Intune compliance policies	Encryption, antivirus, OS version	Require compliant device	Intune compliance
Hybrid Azure AD Joined	Detects if device is domain joined and Entra registered	Corporate managed device verification	Trusted enterprise access	Device identity
Client Apps	Identifies authentication method/application type	Browser, mobile app, legacy auth	Block legacy authentication	Authentication signal
Legacy Authentication	Detects older protocols without MFA support	POP3, IMAP, SMTP, Basic Auth	Block insecure authentication	Authentication protocol detection
Application Filter	Evaluates target cloud application	Office 365, Azure Portal, Salesforce	Per-app protection	Application targeting
User or Group Membership	Applies policies based on user identity	Department, role, admin accounts	Protect privileged users	Directory identity
Guest or External User	Detects B2B guest identities	External collaboration accounts	Restrict guest access	Entra B2B signal
Directory Role	Detects privileged administrative roles	Global Admin, Security Admin	Stronger MFA requirements	Privileged identity signal
Named Locations	Uses trusted or blocked geographic/IP ranges	Corporate offices or countries	Trusted location bypass	IP and geo-location
Country/Region	Detects sign-in originating country	Geographic access control	Block risky countries	Geo-IP intelligence
GPS Location	Uses device GPS when available	Precise mobile device location	Mobile conditional access	Device location telemetry
Real-time Risk Evaluation	Continuously evaluates authentication risk	Live attack indicators	Dynamic session control	Continuous Access Evaluation
Session Risk	Evaluates ongoing user session activity	Token misuse or suspicious activity	Reauthentication enforcement	Session analytics
Token Protection	Detects stolen or replayed authentication tokens	Session hijacking attempts	Block token replay	Token binding/security
Defender for Endpoint Risk	Uses Microsoft Defender device risk score	Endpoint compromise level	Block risky devices	Defender integration
Defender Cloud Apps Signal	Detects risky cloud application behavior	Shadow IT or risky SaaS usage	Session monitoring	Defender for Cloud Apps
Insider Risk Signal	Detects risky insider activities	Data exfiltration or abnormal behavior	Restrict sensitive actions	Insider Risk Management
Application Sensitivity	Applies based on sensitivity labels	Confidential data access	Require stronger controls	Purview integration
Authentication Strength	Evaluates MFA method strength	FIDO2 vs SMS MFA	Require phishing-resistant MFA	Authentication policy
Network Location	Determines corporate vs public network	Trusted vs untrusted access	Apply stricter controls externally	Network intelligence
Continuous Access Evaluation (CAE)	Reevaluates access in near real time	User disabled, password changed, token revoked	Instant session revocation	Microsoft CAE
Terms of Use Acceptance	Verifies user accepted compliance/legal policies	Policy acknowledgement	Enforce compliance acceptance	Governance signal
Risky Workload Identity	Detects risky service principal or workload behavior	Suspicious automation/service activity	Restrict workload identities	Workload identity protection
Authentication Context	Applies controls to sensitive operations	Step-up authentication for specific actions	Protect critical operations	Granular access control
Session Lifetime Controls	Controls token/session duration	Long-running session management	Reduce persistence risk	Session governance
Browser Session Control	Controls download, copy, and print behavior	Data exfiltration prevention	Protect SaaS applications	Defender for Cloud Apps
Device Filter	Filters based on device attributes	Specific models or ownership types	BYOD restrictions	Device attribute filtering
Verified ID Signal	Uses decentralized identity verification	Verified identity assurance	High-assurance access	Microsoft Entra Verified ID

Your cart is empty

Things you wish you knew, things you may think you knew, but you did not

Seamless SSO

0 comments

Leave a comment

Join our email list