{"id":4317,"date":"2026-05-12T15:08:49","date_gmt":"2026-05-12T19:08:49","guid":{"rendered":"https:\/\/increasec.com\/?p=4317"},"modified":"2026-05-26T13:17:02","modified_gmt":"2026-05-26T17:17:02","slug":"entra-disable-lid-iot-signin","status":"publish","type":"post","link":"https:\/\/increasec.com\/?p=4317","title":{"rendered":"Entra Recommended Conditional Access Policies"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.<br>Browse to Entra ID &gt; Conditional Access &gt; Policies.<br>Select New policy.<br>Set all new policies to Report-only, wait a day, choose the policy and select &#8220;View policy impact&#8221;  if you see no orange in the graph you have created the policy correctly and you are good to turn it &#8220;ON&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Name = <strong>Block LID\/IoT SignIn TL<\/strong><br>Assignments, Users, Include = All<br>&nbsp;&nbsp;Exclude, Users = pick 1 admin<br>Target resources, Select = Resources (formerly cloud apps), <br>&nbsp;&nbsp;Include = All resources (formerly &#8216;All cloud apps&#8217;) <br>Network, Configure = Yes<br>&nbsp;&nbsp;Include = Any, <br>&nbsp;&nbsp;Exclude = All Trusted<br>Conditions, Authentication Flows, Configure = Yes<br>&nbsp;&nbsp;Select Device code flow.<br>&nbsp;&nbsp;Select <strong>SAVE<\/strong><br>Grant, Grant = Block access.<br>&nbsp;&nbsp;<strong>Select<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MFA Required to register a new Device TL<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Assignments, Users, Include = All<br>&nbsp;&nbsp;Exclude, Users = pick 1 admin<br>Target Resources, <br>&nbsp;&nbsp;Select what = User actions<br>&nbsp;&nbsp;Select the action = Register or join devices<br>Conditions, Locations, Configure = Yes<br>&nbsp;&nbsp;Include = Any,  <br>&nbsp;&nbsp;Exclude = All Trusted<br>Grant = Allow, <br>&nbsp;&nbsp;MFA = Y<br>Enable = ON<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"646\" height=\"457\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2026\/05\/image-4.png\" alt=\"\" class=\"wp-image-4320\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2026\/05\/image-4.png 646w, https:\/\/increasec.com\/wp-content\/uploads\/2026\/05\/image-4-300x212.png 300w\" sizes=\"auto, (max-width: 646px) 100vw, 646px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Allow OS WIn,MacOS,iOS,Android TL<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Users, Include = ALL<br>Target, Resources (formerly Cloud Apps), Include = All Resources (formerly &#8216;All cloud apps&#8217;)<br>Network, Configure = Y, Include = Any, Exclude = All Trusted (eFAX has no OS listed)<br>Conditions, Device Platforms, Configure = Y, Include = Any, Exclude = Android, iOS, Windows, MacOS<br>Grant = Block<br>Enable = ON<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MFA Reqd for HIGH risk sign-ins TL<\/strong><br>Users, Include = ALL<br>Target, Resources (formerly Cloud Apps), Include = All Resources (formerly &#8216;All cloud apps&#8217;)<br>Network, Configure = Y, Include = Any, Exclude = All Trusted (eFAX has no OS listed)<br>Conditions, Sign-in risk, Configure = Y, High = Y<br>Grant = Allow, MFA = Y<br>Session, Sign-in frequency =Y, Periodic reauthentication, 4, Hours<br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MFA Reqd for admins TL<\/strong><br>Policy From TEMPLATE, Require multifactor authentication for admins, review &amp; create<br>Edit, <br>Network, Configure = Y, Include = Any, Exclude = All Trusted    (this allows legacy auth for printer\/scanners) <br>Create Named locations for the Countries in your Continent. I like to include the 2 letter abbreviation. NOT trusted. also create a trusted IP range for your office public ip. see <a href=\"https:\/\/www.whatsmyip.org\/\">https:\/\/www.whatsmyip.org\/<\/a><br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Block Logins Outside CA,US,MX<\/strong><br>Users, Include = ALL<br>Target, Resources (formerly Cloud Apps), Include = All Resources (formerly &#8216;All cloud apps&#8217;)<br>Network, Configure = Y, Include = Any, Exclude = Selected, choose the Countries created in step1<br>Conditions, Sign-in risk, Configure = Y, High = Y<br>Grant = Block<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br><\/p>\n\n\n\n<p class=\"has-large-font-size wp-block-paragraph\"><strong>DANGER<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Apple iOS phones using Apple Mail instead of Outlook, the authentication protocols will NOT update automatically.  If the phone was originally setup, long ago, it will continue to use the same insecure authentication, and the rule below will <strong>BLOCK <\/strong>email login.  To fix you need to; find or reset the user&#8217;s email password,   delete the mail profile, then re-create the profile using the same username+password.  This will force Apple Mail to use a new, secure auth protocol.<\/p>\n\n\n\n<p class=\"has-small-font-size wp-block-paragraph\"><strong>Block legacy Authentication TL<\/strong>  <br>Policy From TEMPLATE, Block legacy Authentication, review &amp; create<br>Edit, <br>Network, Configure = Y, Include = Any, Exclude = All Trusted (this allows legacy auth for printer\/scanners)<br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To Globally enable Conditional Access<br>Entra, Overview, Properties, <br>In the Security defaults section (bottom), Manage Conditional Access<br>It should ask you to change from defaults to Conditional Access and create 4 Microsoft managed rules<br>they can be turned off but not deleted.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.Browse to Entra ID &gt; Conditional Access &gt; Policies.Select New policy.Set all new policies to Report-only,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[81],"class_list":["post-4317","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-microsoft"],"_links":{"self":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/4317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4317"}],"version-history":[{"count":26,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/4317\/revisions"}],"predecessor-version":[{"id":4365,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/4317\/revisions\/4365"}],"wp:attachment":[{"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}