Conditional Access β Identity + Device Trust
π― Objective of Day-10
By the end of Day-10, you will:
- Understand how Conditional Access works internally
- Design safe CA policies
- Avoid mass user lockouts
- Troubleshoot access blocks confidently
1οΈβ£ What Is Conditional Access?
Conditional Access (CA) is a policy engine that evaluates:
- Who is signing in
- From where
- On which device
- Using which app
Then decides:
β Allow
β Require MFA
β Require compliant device
β Block
2οΈβ£ Signals Evaluated by Conditional Access
| Signal | Source |
|---|---|
| User identity | Entra ID |
| Device compliance | Intune |
| Location | Named locations |
| App | Cloud apps |
| Risk | Identity Protection |
π CA never configures devices β it only checks signals.
3οΈβ£ Where Conditional Access Lives
Steps:
- Microsoft Entra admin center
- Protection
- Conditional Access
- Policies
4οΈβ£ Most Common Policy: Require Compliant Device
Use case:
Only allow access from managed & compliant devices.
Steps to Create:
- Create new CA policy
- Assign Users β Select users/groups
- Cloud apps β Select apps (e.g. Office 365)
- Conditions β (Optional)
- Grant β Require device to be marked as compliant
- Enable policy (Report-only first!)
5οΈβ£ How βRequire Compliant Deviceβ Works
Flow:
- User signs in
- Entra ID checks identity
- Intune reports device compliance
- CA evaluates result
- Access allowed or blocked
π If device is not enrolled, it is non-compliant by default.
6οΈβ£ Report-Only Mode (CRITICAL)
Never enable CA directly.
Best practice:
- Enable policy in Report-only
- Monitor sign-in logs
- Check impact
π Prevents mass outages.
7οΈβ£ Sign-In Logs (Your Best Friend)
Steps:
- Entra ID β Sign-in logs
- Filter β Conditional Access
- Check:
- Applied policies
- Grant controls
- Failure reasons
8οΈβ£ Common Admin Mistakes
β Applying CA to βAll usersβ
β No break-glass account
β No compliance policy exists
β Blocking legacy authentication
π Always exclude:
- Emergency admin account
- Service accounts
9οΈβ£ Break-Glass Account (Must Have)
Create at least one Global Admin:
- Strong password
- No MFA
- Excluded from CA
π Used only during outages.
π Intune + CA Best Deployment Order
1οΈβ£ Enroll devices
2οΈβ£ Apply configuration profiles
3οΈβ£ Monitor compliance
4οΈβ£ Enable CA in report-only
5οΈβ£ Enforce gradually
1οΈβ£1οΈβ£ Real-World Scenario
Issue:
User blocked from Outlook.
Reason:
Device not compliant β CA blocked access.
Fix:
Enroll device β Sync β Compliance restored.
1οΈβ£2οΈβ£ Zero Trust Alignment
Conditional Access supports:
- Verify explicitly
- Use least privilege
- Assume breach
π This is Zero Trust in action.
β End of Day-10 Outcome
You can now:
β Explain Conditional Access confidently
β Design safe CA policies
β Read sign-in logs like a pro
β Avoid common admin disasters
π Day-11 Preview
Day-11: Security Baselines & Defender for Endpoint
- Intune security baselines
- Windows security baseline overview
- Defender for Endpoint basics
- Admin-ready security foundation