Contact Us
917 Solutions logo with blue bird and yellow text reading "delivering the future"

Conditional Access Policies: Microsoft 365 Setup Guide – Step 6

silhouettes, hierarchy, people

Conditional Access Policies give you critical control in Microsoft 365—but a single misconfiguration can lead to serious downtime. One wrong move in your access settings could shut down your entire organization. That being said, using Conditional Access Policies as the primary means of enforcing MFA, auditing privileges, and managing onboarded and offboarded users is the most secure way to setup your Microsoft 365. In chapter 6 of our Golden Tenant Microsoft 365 Setup Guide we are breaking down how to configure these policies the right way.

Read Chapter 5

Interested in a Step-by-Step Microsoft 365 SOP Checklist?

If you’re looking to simplify and standardize your Microsoft 365 setup, our detailed Microsoft 365 SOPs offer step-by-step checklists and templates to guide you through every aspect of configuration. 

Contact us using the button below for access to these comprehensive resources designed to ensure security and efficiency in your Microsoft 365 environment.

 
Reach out for your Template Now

Before you Begin: Conditional Access Pre-Requisites

Before we create the Conditional Access Policies, there are a few items that we need to verify.

Navigate to portal.azure.com and click on Microsoft Entra ID > Security > Protect > Conditional Access > Insights and reporting

If you have not configured the Azure Log Analytics Workspace, you will see something like this:

ℹ️ If you have configured the Workspace, you’ll see a reporting page with no error message. If so, skip to the next step.

The Microsoft article referenced in the error message.

Later, we will go through the process of creating the Azure Log Analytics Workspace.

1. Identify if Security Defaults are enabled

If enabled, disable the setting so that you can create the Conditional Access policies.

2. Identify Break Glass Administrator Accounts

⚠️ Do not proceed any further with Conditional Access Policies if no Break Glass Administrator accounts have been created. See step 3 of our guide to learn about creating Break Glass Admin accounts.

If you have not created the Break Glass Administrator account, it is pertinent that you perform this step. You will need to use this account in the steps moving forward. In fact, you can be locked out of your Microsoft 365 tenant if you fail to create your Break Glass Admin accounts. Moreover, if you are a direct reseller of Microsoft 365 without a partner reseller like Pax8, you risk losing access to your tenant for 2 to 4 weeks.

3. Verify Break Glass Administrator Accounts are Working

There is nothing worse than having a Break Glass Admin account that is inaccessible. First, make sure that you have stored your FIDO keys in a safe place. Most importantly, verify that the accounts are functional and that you can use them to log into Microsoft 365. As covered in our Microsoft Security Audit article, Break Glass Admin accounts should have global admin privileges but be unlicensed. Also, we recommend that you log into Azure when you test access, because only privileged users can access that portal.

4. Configure Azure Log Analytics Workspace

Follow the istructions here to create the Log Analytics Workspace.

5. Configure Insights & Reporting

Follow the instructions here to set the Diagnostic settings.

Next, name the Diagnostic setting: 917BasicLogs

Now that you have this set up, go back to the Insights and Reporting portion of Azure. Then, you can view the workspace.

⚠️ For all the Conditional Access Policies that you create, make sure that you set them to Report Only mode. Multiple policies impact access and functionality as well as the overall login experience for end users.

The logs should begin to accumulate in the workspace. Before turning on your Conditional Access Policies, analyze their impact via the Insights & Reporting feature.

⚠️ If this is your first time using Conditional Access, we strongly recommend that you test the rollout of policies in a test tenant before deploying any settings to an organization. This is because Conditional Access Policies are extremely powerful. Consequently, if you inverse a setting or enable the wrong setting, you could not only lock yourself out, but your entire organization as well for an extended period of time.

Configure Trusted Locations

Trusted Locations are predefined areas within your Entra tenant that your organization considers secure. They play a key role in Conditional Access policies, allowing you to grant or block access based on the location of the user.

Types of Locations:

  • Country: You can define access rules based on specific countries.
  • Trusted IP Range: You can configure policies based on IP addresses within a trusted range.

Examples of Conditional Access Policies:

  1. Block Access from Foreign Countries: You can create a policy to block access to all cloud apps for all users in your organization from any foreign country—with exceptions for Break Glass admin accounts.
  2. Block Access from Untrusted Locations: Alternatively, you can set a policy to block access to all cloud apps for all users from any untrusted location, while allowing access to Break Glass Admin accounts.

In the example of ITAR (Internation Traffic in Arms Regulations):

The International Traffic in Arms Regulations (ITAR) prohibits exports and sales to certain countries (22CFR126.1). It is the policy of the United States to deny licenses and other approvals for exports and imports of defense articles and defense services, destined for or originating in certain countries.

  • General Policy: The U.S. generally denies licenses and approvals for exporting or importing defense items to or from certain countries. While there are specific exemptions, they don’t apply to these restricted countries.
  • Shipments: Defense items that are licensed or authorized for export can’t be shipped using transportation owned or operated by the restricted countries.

Identifying Prohibited Countries:

  • United Nations Sanctions: If the UN imposes sanctions, any defense-related transactions with U.S. persons or within the U.S. are prohibited.
  • State Sponsors of Terrorism: Exports to countries identified by the U.S. as sponsors of terrorism are banned.
  • Arms Embargoes and Sanctions: This policy also applies to countries under U.S. arms embargoes or sanctions.
  • Specific Countries: Certain countries are listed under ITAR where defense-related exports and services are outright denied.

For organizations that are required to adhere to strict compliance with ITAR and Export Controls, these organizations may need to Block access to Microsoft 365 from the identified ITAR and Export controlled countries to document and demonstrate compliance with these requirements.

1. Countries (United States)

First, navigate to Entra ID > Protection > Conditional Access > Named Location

Next, click + Countries Location, name this location United States, select Country, United States. Last, click Create.

Repeat the same steps for each country (where travel is permitted) that you want to add to the policy. 

2. Trusted IP Range (if available)

Navigate to Entra ID > Protection > Conditional Access > Named Location

  • Click + IP Ranges Location,
  • Name this IP range something that would describe the location of the range aka City, State – HQ,
  • Select Mark as trusted location,
  • Click the + button to add the CIDR block range in the format EX: 190.107.54.117/24

ℹ️ The format of your IP range will vary based on your Static IP block range

Create Conditional Access Policies

🚩 Keep an eye out for any settings that have the 🛑⚠️ appended to them. These settings can have a large impact to your end-user experience. So, enable these settings with caution. 

⚠️ DO NOT TURN POLICIES ON, SET THEM IN REPORT-MODE ONLY TO REVIEW THE IMPACT OF ENABLING THE SETTING

Listed below are the 19 Conditional Access Policies we configure in our tenants. In our full version of Microsoft 365 SOPs, we break down each policy and provide a high-level impact so you can understand the effects of enabling these policies.

Note: You should always add your Break Glass admin accounts as excluded from these policies. And, always test these policies within a test environment prior to deployment. This way, you can understand and see the impact and changes for yourself as well.

Within Entra > Protection > Conditional Access > Policies > + New Policy

1. BLOCK - Authentication Transfer

2. BLOCK - Device Code Flow

3. 🛑 BLOCK - Device Registration from Untrusted Locations

4. ⚠️ BLOCK - High-Risk Sign-Ins

5. ⚠️ BLOCK - High-Risk Users

6. ⚠️ BLOCK - Legacy Authentication

7. 🛑 BLOCK - Logins from Foreign Countries

8. ⚠️ BLOCK - Unsupported Device Platforms

9. 🛑 BLOCK - Untrusted Locations

10. BLOCK - All Users Access to Windows Azure Service Manager API

11. ⚠️ GRANT - Medium-Risk Sign-Ins

12. ⚠️ GRANT - Medium-Risk Users

13. GRANT - MFA for All Active Users | CIS

14. GRANT - MFA for All Active Guests

15. GRANT - MFA for All Admins | CIS

16. 🛑 GRANT - Require Compliant Mobile Devices

17. 🛑GRANT - Require Compliant Windows Devices

18. GRANT - Terms of Use

19. 🛑 SESSION - Periodic Reauthentication on BYOD Devices

Policy JSON Templates

To streamline this process, we have created .json templates that you can easily plug into PowerShell and automate. You may need to modify the groups and locations within the template to align with those in your tenant. Additionally, once you personalize the information, you can extract a migration table to use for future tenants you may have.

Contact us now to receive your very own Conditional Access Template!

Continue on to Step 6

The Complete Guide to Microsoft 365

Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs. 

Purchase the Golden Tenant Now
We're here to help take your business to the next level
Let us know how we can help!
Get Started

Table of Contents

Get expert tips and updates delivered straight to your inbox, join our newsletter today!

Like what you read? Share it with your network

LATEST ARTICLES

People Leave. Access Lingers. Projects Stay Exposed.

The contract ended Friday. The laptop went home for the weekend. Your site superintendent promised to drop it off Monday morning. Standard stuff. It happens... Read More

a square icon with four different colored squares

Windows 10 End of Life – Are you Prepared?

A decade after its release in 2015, October 15, 2025 is the End of Support date for Windows 10. Now, this does not mean that... Read More

Man presenting screen with distorted faces on them

Deepfake Live: How It Works & Its Implications

“Deepfakes” are back in the news after a software called “deep-live cam” was released on Github. Users are circulating photos and videos that impersonate political... Read More

917 Solutions Logo
Facebook-f Instagram Linkedin-in Google
Home
About
Services
Locations
Industries
Resources
Get In Touch