Guides

Conditional Access Architecture for Microsoft 365

A practical Conditional Access framework for Microsoft 365 covering break-glass accounts, MFA, device compliance, location, risk, and policy testing.

Conditional Access should be designed as a framework

Ad hoc policies create gaps and lockout risk. A framework defines baseline access, admin access, risky sign-ins, device requirements, location handling, and exceptions.

Configure break-glass access first

Emergency accounts should be cloud-only, excluded from normal Conditional Access, protected with strong credentials, monitored, and tested. They exist to recover from policy mistakes.

Require MFA based on risk and role

Admins and sensitive apps need strong MFA. Users can be staged by risk, location, and device state, but every policy should have a clear enforcement goal.

Use Intune compliance where possible

Device compliance links endpoint management to identity enforcement. It lets the tenant block unmanaged or non-compliant devices from sensitive apps.

Test with personas before enforcement

Policies should be tested against admin users, standard users, mobile users, unmanaged devices, guest access, and break-glass accounts before broad rollout.

Related Services

• Conditional Access Architecture Sprint
• MFA Deployment Sprint
• Intune Security Baseline Sprint
• Entra ID Security Hardening Assessment