Deploying Microsoft Conditional Access Policies using the 365 Admin Console
- James Agombar
- May 7
- 4 min read
Welcome to the first part in a series on Conditional Access Policies where I'll go over the various options available to you. Ranging from deployment capabilities, policy types and more.
Did you know there's an option to deploy a set of pre-configured Conditional Access Policies using the 365 Admin console?
To be absolutely transparent, these are the same pre-configured policies available within the Azure / Entra Portals, but Microsoft have introduced a centralised platform to call out other deployment guides, such as setting up Microsoft 365 Copilot, Microsoft Purview and Viva Learning, amongst others.
So let's get started.....
IMPORTANT!
BEFORE YOU DO ANYTHING, PLEASE ENSURE YOU HAVE A "BREAK GLASS GLOBAL ADMINISTRATOR" ACCOUNT SETUP AND EXCLUDED FROM ANY POLICIES.
ALWAYS SET NEW POLICIES TO "REPORT ONLY" TO AVOID ACCIDENTAL LOCKOUT.
I TAKE NO RESPONSIBILITY FOR PROBLEMS CAUSED BY THESE DEPLOYMENTS, SO PLEASE GO EASY.
NOTE: The account you use to set these policies up is automatically excluded from them, so I highly recommend using a Global Admin account. Once completed you can swap that account out of the exclusions with your Break Glass accounts.
Step 1
Log on to the 365 Admin Portal using https://admin.microsoft.com and click on Setup.
On the right hand side of the screen, scroll down to the "Sign-in and Security" section and click on "Deploy Conditional Access (CA) Policy Templates".
Step 2
The next screen will provide useful information about Conditional Access, so if you're new to these, please have a read through.
Once you're ready to proceed, click "Get Started".
Step 3
This screen provides information on the types of pre-configured templates available by category. You can also review any existing policies that are in-place if needed.
Microsoft provide some great guidance here too on the best practices for creating a Break Glass account, so if you haven't set one up, PLEASE DO IT NOW!!
The template categories available are:
Secure Foundation
Require multifactor authentication for admins
Securing security info registration
Block legacy authentication
Require multifactor authentication for all users
Require multifactor authentication for Azure Management
Require compliant or hybrid Azure AD joined device or multifactor authentication for all users
Zero Trust
Require multifactor authentication for admins
Securing security info registration
Block legacy authentication
Require multifactor authentication for all users
Require multifactor authentication for guest access
Require multifactor authentication for Azure Management
Protected Administrator
Require multifactor authentication for admins
Block legacy authentication
Require multifactor authentication for Azure Management
Require compliant or hybrid Azure AD joined device or multifactor authentication for all admins
Require phishing-resistant multifactor authentication for admins
Require multifactor authentication for Microsoft admin portals
Remote Work
Securing security info registration
Block legacy authentication
Require multifactor authentication for all users
Require multifactor authentication for guest access
Require multifactor authentication for risky sign-ins
Require multifactor authentication for high-risk users
Emerging Threats
Require phishing-resistant multifactor authentication for admins
You can see each one by selecting it from the drop down menu and clicking "Review category definitions".
Step 4
For this example, I'm going to deploy the "Secure Foundation" template from the drop down and then click Next.
Step 5
This is where you can enable each of the policies individually and set their state (ON, Report-only, Off).
PLEASE PLEASE set them all to Report-only during initial deployment.
In the example shown below, I've enabled all the policies and set their state to Report-only.
Once you're happy, click Next.
Step 6
Here you'll need to select the authentication methods you want to enforce unless they've been previously selected within the Azure / Entra portals. As you can see in my example, I've already set them beforehand, so they're greyed out.
Click Next to proceed.
Step 7
Time to review and double check all of the options you've selected before deployment.
Once you've had a read through and are happy with your selection, click "Save configuration" to deploy the new Conditional Access Policies.
Step 8
Congratulations, you've deployed your first set of CA policies!!!
New Policies
Time to check out your new policies either through the Entra or Azure portal.
For this example I'm using the Azure portal (old habits die hard).
You can see all of the policies we just deployed with the addition of "blocked countries" that I configured separately. All of the policy states are in Report-only with the exception of "Require multifactor authentication for admins" which I modified shortly afterwards. The great thing is you can also see the date and time of that modification.
Don't Forget!!
WHENEVER YOU DEPLOY A NEW CA POLICY, SET IT TO REPORT-ONLY FIRST, THEN MONITOR IT OVER THE COMING DAYS FOR ACTIVITY
ALWAYS ALWAYS EXCLUDE BREAK GLASS ACCOUNTS FROM YOUR CA POLICIES TO AVOID ACCIDENTAL LOCKOUT. THESE ARE ALSO USED IN THE EVENT OF A SECURITY INCIDENT. (SOUNDS LIKE ANOTHER BLOG POST IS NEEDED!)
Stay tuned, there will be more in-depth posts coming. If you find this sort of content useful, please give it a like or drop me a message on LinkedIn :)