Microsoft Azure — Conditional Access & MFA
Conditional Access policies, MFA, signal-based access controls, session controls, and risk-based policies..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Azure subscription with Azure AD P1 or P2 license, Global Administrator access, PowerShell 7+ with Microsoft Graph module (Install-Module Microsoft.Graph), basic understanding of Azure AD and identity concepts, familiarity with JSON and PowerShell scripting.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers conditional access & mfa with production-ready configurations, best practices, and hands-on examples.
Why Conditional Access and MFA Are Non-Negotiable
In modern identity security, Conditional Access (CA) and Multi-Factor Authentication (MFA) form the backbone of Zero Trust architecture. Without them, a single compromised password can lead to lateral movement and data exfiltration. Azure AD Conditional Access evaluates signals—user, device, location, app, risk—to enforce policies like requiring MFA, blocking access from untrusted networks, or limiting session duration. MFA alone is insufficient; attackers bypass it via token theft, session replay, or social engineering. CA policies add context: require MFA only when risk is high, or block legacy authentication protocols that don't support MFA. Production environments must enforce CA policies globally, with break-glass accounts excluded via named locations. The cost of not implementing CA is measured in breach response hours and regulatory fines.
Planning Your Conditional Access Policy Hierarchy
CA policies are evaluated in order of priority, but all applicable policies are enforced. Design a hierarchy: start with baseline policies (block legacy auth, require MFA for admins), then add risk-based policies (require MFA for medium+ sign-in risk), then location-based (block non-compliant countries). Use 'Report-only' mode to test policies before enabling them. Avoid overlapping conditions that cause conflicts—e.g., two policies targeting the same app with different grant controls. Use 'Exclude' sparingly; prefer 'Include' with specific groups. Production tip: create a 'CA Emergency Access' group with break-glass accounts excluded from all policies. Monitor sign-in logs for policy failures using Azure Monitor workbooks.
Configuring MFA Registration and Authentication Strengths
Azure AD MFA supports phone call, text, OATH tokens, Microsoft Authenticator, and FIDO2 security keys. Authentication Strength allows you to require specific methods—e.g., passwordless (FIDO2) for admins, phone for standard users. Enforce combined registration: users register MFA and SSPR in one flow. Use 'Require reauthentication every X hours' to limit session tokens. Production reality: SMS is vulnerable to SIM swapping; prefer Authenticator or FIDO2. Configure 'Number matching' in Authenticator to prevent MFA fatigue attacks. Monitor MFA registration status via the 'Registration campaign' feature to nudge unregistered users.
Implementing Risk-Based Conditional Access with Identity Protection
Azure AD Identity Protection detects sign-in risk (anonymous IP, atypical travel, leaked credentials) and user risk (compromised account). Integrate with CA to auto-remediate: require MFA for medium+ sign-in risk, block high risk. Configure risk policies in Identity Protection first, then reference them in CA. Production tip: set user risk policy to 'Block access' for high risk, but allow self-service password reset (SSPR) to reduce friction. Monitor risk detections via the Identity Protection dashboard. Real failure: a policy requiring MFA for medium risk but not blocking high risk led to a breach where attacker used a compromised session token.
Session Controls: Limiting Token Lifetime and App Enforced Restrictions
CA session controls let you enforce sign-in frequency, persistent browser session, and app-enforced restrictions (e.g., require compliant device). Set sign-in frequency to 1 hour for high-risk apps, 24 hours for low-risk. Use 'Persistent browser session' to prevent token reuse across browser restarts. For cloud apps, use 'Use app-enforced restrictions' to let apps like SharePoint enforce download restrictions. Production insight: long token lifetimes (default 90 days) are a security risk. Shorten to 8 hours for critical apps. Monitor token issuance via Azure AD sign-in logs.
Blocking Legacy Authentication and Deprecated Protocols
Legacy authentication protocols (POP, IMAP, SMTP, ActiveSync) don't support MFA, making them a prime vector for password spray attacks. Create a CA policy to block all legacy auth for all users. Use the 'Client apps' condition: select 'Exchange ActiveSync' and 'Other clients'. Exclude service accounts that still need legacy auth, but migrate them to Modern Auth as soon as possible. Production tip: enable 'Security defaults' for small tenants, but for enterprises, create a dedicated policy. Monitor legacy auth attempts via Azure AD sign-in logs with filter 'Client app - Legacy Authentication'. Real failure: a company blocked legacy auth but forgot to exclude their on-premises mail flow connector—email delivery broke.
Location-Based Policies: Named Locations and Trusted IPs
Named locations in Azure AD allow you to define trusted IP ranges (corporate offices) or block countries. Use CA policies to require MFA when accessing from untrusted locations, or block access from high-risk countries. Configure named locations with IPv4/IPv6 CIDR ranges. Production tip: use 'Mark as trusted location' for corporate IPs, but don't rely solely on IP—VPNs can spoof. Combine with device compliance. Real failure: a company blocked all non-US traffic, but their remote employees used VPNs with US exit points—policy didn't apply. Use 'Country' condition instead of IP ranges for geopolitical blocking.
Device Compliance and Hybrid Azure AD Join Integration
CA policies can require devices to be marked as compliant (Intune) or Hybrid Azure AD joined. This ensures only managed devices access corporate resources. Configure device compliance policies in Intune (require BitLocker, antivirus, OS version). Then create a CA policy: 'Require device to be marked as compliant'. Production tip: for BYOD, use 'Require approved client app' and 'Require app protection policy' instead of device compliance. Real failure: a company required Hybrid Azure AD join for all users, but contractors had unmanaged devices—they were locked out. Use separate policies for different user groups.
Monitoring, Reporting, and Incident Response with CA Logs
Azure AD sign-in logs contain CA policy evaluation details: which policies applied, grant controls, and session controls. Use Azure Monitor workbooks to visualize CA impact. Set up alerts for 'CA policy failure' or 'Blocked sign-in' using Log Analytics queries. Production tip: export logs to a SIEM (Sentinel) for correlation. Real failure: a misconfigured CA policy blocked all users silently—no one noticed for 2 hours because alerts weren't configured. Create a 'CA health' dashboard with KQL queries. Monitor 'What If' tool to test policies before deployment.
Testing and Rollback Strategies for CA Policies
Never deploy CA policies directly to production. Use a phased approach: 1) Report-only mode for 7 days, 2) Enable for a pilot group, 3) Gradual rollout to all users. Use the 'What If' tool to simulate policy effects. Create a rollback plan: disable the policy or move users to an exclusion group. Production tip: maintain a 'CA Emergency Access' group with no policies applied. Document each policy's purpose and expected impact. Real failure: a policy requiring MFA for all users was enabled globally, but the MFA service had an outage—all users locked out. Rollback took 10 minutes because the policy was well-documented.
Advanced Scenarios: Continuous Access Evaluation and Token Protection
Continuous Access Evaluation (CAE) is a Microsoft Entra feature that revokes tokens in real time when a user's risk changes or device is marked non-compliant. Enable CAE for critical apps (Exchange, SharePoint, Teams). Token Protection (coming soon) binds tokens to the device via cryptographically bound tokens. Production tip: CAE requires app support—most Microsoft apps support it, but third-party apps may not. Test CAE with a pilot group. Real failure: without CAE, a revoked user's token remained valid for up to 1 hour. With CAE, revocation is near-instant.
Putting It All Together: A Production-Ready CA and MFA Architecture
A production-ready architecture includes: 1) Baseline policies: block legacy auth, require MFA for admins, require MFA for all users (with break-glass exclusion). 2) Risk-based policies: require MFA for medium+ sign-in risk, block high user risk. 3) Location-based: block high-risk countries, require MFA for non-trusted locations. 4) Device-based: require compliant device for corporate apps. 5) Session controls: sign-in frequency 4 hours, persistent browser never. 6) CAE enabled for supported apps. 7) Monitoring: Log Analytics alerts for policy failures. 8) Rollback: documented disable scripts. Production insight: this architecture stopped a real-world attack where an attacker used a stolen token from a non-compliant device—blocked by device compliance policy.
| File | Command / Code | Purpose |
|---|---|---|
| Get-ConditionalAccessPolicies.ps1 | Connect-MgGraph -Scopes "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess" | Why Conditional Access and MFA Are Non-Negotiable |
| New-ConditionalAccessPolicy.ps1 | $params = @{ | Planning Your Conditional Access Policy Hierarchy |
| Get-MFAStatus.ps1 | Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All" | Configuring MFA Registration and Authentication Strengths |
| Get-RiskDetections.ps1 | Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All" | Implementing Risk-Based Conditional Access with Identity Pro |
| session-controls-policy.json | { | Session Controls |
| Block-LegacyAuth.ps1 | $params = @{ | Blocking Legacy Authentication and Deprecated Protocols |
| New-NamedLocation.ps1 | $params = @{ | Location-Based Policies |
| device-compliance-policy.json | { | Device Compliance and Hybrid Azure AD Join Integration |
| CA-Failures.kql | SigninLogs | Monitoring, Reporting, and Incident Response with CA Logs |
| Disable-CAPolicy.ps1 | $policyId = "00000000-0000-0000-0000-000000000004" | Testing and Rollback Strategies for CA Policies |
| Enable-CAE.ps1 | Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" | Advanced Scenarios |
| production-architecture.json | { | Putting It All Together |
Key takeaways
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Azure. Mark it forged?
4 min read · try the examples if you haven't