granular control might involve

setting permissions or access

Three default policies can be controls that are specific to the
enabled: require all users to Use for enabling MFA for more role, location, and actions of an
register for MFA, require a granular control individual within an IT environment,
Respond to potentially
password change for users who are allowing for a tailored security
compromised accounts
high-risk, and require MFA for posture that can minimize risks
users with medium or high sign-in without hindering productivity.
risk.

allows administrators to evaluate

Blocking access overrides all other
assignments for a user and has the
power to blockyour entire
organization from signing on to
your tenant. It can be used, for
example, when you’remigrating an
app to Azure AD, but you aren't
Block access
ready for anyone to sign-in yet. You
can also block certain network
locations from accessing your
cloud apps or block apps using
legacy authentication
from accessing your tenant
resources.
Test by using report-only mode
Best Practice when using
conditional access
Exclude geographic areas from
which you never expect a sign-in.
the impact of Conditional Access
policies before enabling them in
their environment. Report-only
mode can help predict the number
and names of users affected by
common deployment initiatives.
Use report-only mode to test
blocking legacy authentication,
requiring MFA, and implementing
sign-in risk policies.

Block legacy authentication Require managed devices

protocols

You can manage the entire devices

Use theWhat If Require approved client
Where Employee is BYOD
applications
Manage the data on it
Best Practice when using conditional access
1. Use for enabling MFA for more granular control
1.1. granular control might involve setting permissions or access controls that are specific to the role,
location, and actions of an individual within an IT environment, allowing for a tailored security posture
that can minimize risks without hindering productivity.

2. Test by using report-only mode

2.1. allows administrators to evaluate the impact of Conditional Access policies before enabling them
in their environment. Report-only mode can help predict the number and names of users affected by
common deployment initiatives. Use report-only mode to test blocking legacy authentication, requiring
MFA, and implementing sign-in risk policies.

3. Exclude geographic areas from which you never expect a sign-in.

4. Require managed devices
5. Require approved client applications
5.1. Where Employee is BYOD

5.1.1. You can manage the entire devices

5.1.2. Manage the data on it

6. Use theWhat If
7. Block legacy authentication protocols
8. Block access
8.1. Blocking access overrides all other assignments for a user and has the power to blockyour entire
organization from signing on to your tenant. It can be used, for example, when you’remigrating an app
to Azure AD, but you aren't ready for anyone to sign-in yet. You can also block certain network
locations from accessing your cloud apps or block apps using legacy authentication from accessing
your tenant resources.

9. Respond to potentially compromised accounts

9.1. Three default policies can be enabled: require all users to register for MFA, require a password
change for users who are high-risk, and require MFA for users with medium or high sign-in risk.