Entra Recommended Conditional Access Policies

12th May 2026

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Entra ID > Conditional Access > Policies.
Select New policy.
Set all new policies to Report-only, wait a day, choose the policy and select “View policy impact” if you see no orange in the graph you have created the policy correctly and you are good to turn it “ON”

Name = Block LID/IoT SignIn TL
Assignments, Users, Include = All
  Exclude, Users = pick 1 admin
Target resources, Select = Resources (formerly cloud apps),
  Include = All resources (formerly ‘All cloud apps’)
Network, Configure = Yes
  Include = Any,
  Exclude = All Trusted
Conditions, Authentication Flows, Configure = Yes
  Select Device code flow.
  Select SAVE
Grant, Grant = Block access.
  Select

MFA Required to register a new Device TL

Assignments, Users, Include = All
  Exclude, Users = pick 1 admin
Target Resources,
  Select what = User actions
  Select the action = Register or join devices
Conditions, Locations, Configure = Yes
  Include = Any,
  Exclude = All Trusted
Grant = Allow,
  MFA = Y
Enable = ON

Allow OS WIn,MacOS,iOS,Android TL

Users, Include = ALL
Target, Resources (formerly Cloud Apps), Include = All Resources (formerly ‘All cloud apps’)
Network, Configure = Y, Include = Any, Exclude = All Trusted (eFAX has no OS listed)
Conditions, Device Platforms, Configure = Y, Include = Any, Exclude = Android, iOS, Windows, MacOS
Grant = Block
Enable = ON

MFA Reqd for HIGH risk sign-ins TL
Users, Include = ALL
Target, Resources (formerly Cloud Apps), Include = All Resources (formerly ‘All cloud apps’)
Network, Configure = Y, Include = Any, Exclude = All Trusted (eFAX has no OS listed)
Conditions, Sign-in risk, Configure = Y, High = Y
Grant = Allow, MFA = Y
Session, Sign-in frequency =Y, Periodic reauthentication, 4, Hours

MFA Reqd for admins TL
Policy From TEMPLATE, Require multifactor authentication for admins, review & create
Edit,
Network, Configure = Y, Include = Any, Exclude = All Trusted (this allows legacy auth for printer/scanners)
Create Named locations for the Countries in your Continent. I like to include the 2 letter abbreviation. NOT trusted. also create a trusted IP range for your office public ip. see https://www.whatsmyip.org/

Block Logins Outside CA,US,MX
Users, Include = ALL
Target, Resources (formerly Cloud Apps), Include = All Resources (formerly ‘All cloud apps’)
Network, Configure = Y, Include = Any, Exclude = Selected, choose the Countries created in step1
Conditions, Sign-in risk, Configure = Y, High = Y
Grant = Block


DANGER

Apple iOS phones using Apple Mail instead of Outlook, the authentication protocols will NOT update automatically. If the phone was originally setup, long ago, it will continue to use the same insecure authentication, and the rule below will BLOCK email login. To fix you need to; find or reset the user’s email password, delete the mail profile, then re-create the profile using the same username+password. This will force Apple Mail to use a new, secure auth protocol.

Block legacy Authentication TL
Policy From TEMPLATE, Block legacy Authentication, review & create
Edit,
Network, Configure = Y, Include = Any, Exclude = All Trusted (this allows legacy auth for printer/scanners)

To Globally enable Conditional Access
Entra, Overview, Properties,
In the Security defaults section (bottom), Manage Conditional Access
It should ask you to change from defaults to Conditional Access and create 4 Microsoft managed rules
they can be turned off but not deleted.