Conditional Access offers a powerful way to enhance security by evaluating real-time signals before granting access to sensitive resources. However, it’s not without its complexities. Many organisations make critical errors when configuring these policies, leading to vulnerabilities. As Microsoft Ireland’s Security Partner of the Year, we’ve seen these mistakes arise repeatedly in our security assessments.
In this blog, we’ll walk you through five of the most common mistakes organisations make when implementing Conditional Access, and how you can avoid them.
Mistake 1: Overlooking Exclusions and Access Gaps
An issue we frequently encounter is insufficient attention paid to exclusions and access gaps. While it’s impossible to eliminate all exclusions, they should be managed meticulously. Many admins fail to apply additional policies to secure these exclusions, leading to potential security loopholes.
For example, you may have a policy that requires admins to use a compliant device. But what happens when an admin needs to access a resource that cannot meet compliance, such as a server running Windows Defender vulnerability management? Excluding the admin entirely from the policy would leave a gap in your security.
Instead, use layered policies to manage these exclusions securely. By implementing a supplementary policy that allows non-compliant device access only from a trusted IP address (e.g., your office or data centre), you mitigate the risk. Additionally, you can apply Just-In-Time (JIT) access through Entra’s Privileged Identity Management (PIM), allowing admins to activate their membership in the exclusion group only for the time required.
Top Tip: Always implement additional layers of security for exclusions, such as trusted IP address restrictions and Just-In-Time access.
Mistake 2: Ignoring VPNs in Location-Based Policies
Another common Conditional Access mistake occurs when location-based policies don’t account for VPN usage. It’s common to restrict access based on geographic location (e.g., limiting access to an organisation’s countries of operation), but consumer VPN services or cloud-based VPNs such as those in Azure or AWS can easily bypass these restrictions.
To address this, extend your policy by using Conditional Access App Control with Microsoft Defender for Cloud Apps. This tool allows you to refine location filters, including the ability to detect and block traffic from VPNs and cloud providers.
Top Tip: Implement additional controls using Defender for Cloud Apps to block VPNs and cloud provider-based bypasses.
Mistake 3: Not Using Emergency Access Accounts
A significant yet often overlooked vulnerability is failing to create emergency access accounts. Conditional Access policies can inadvertently lock out all users, including administrators, if not configured correctly. Emergency access accounts serve as a failsafe, ensuring that critical administrative access is always available, even if all other accounts are locked out.
However, merely having an emergency access account is not enough. These accounts must also be protected. Prioritise enforcing stringent security measures against emergency accounts, such as requiring physical security keys (such as YubiKeys) for login or allowing access only via a pre-approved device. You can also configure different layers of security for multiple emergency access accounts to reduce the risk of a complete lockout.
Top Tip: Always create and protect emergency access accounts. Consider using layered security policies specific to these accounts.
Mistake 4: Unprotected Conditional Access Groups
Conditional Access groups, particularly those that control admin access, are critical assets that must be safeguarded against tampering. Often, administrators overlook the protection of these groups, making them vulnerable to being altered by users with lower privileges, such as those with user administrator roles.
By default, security groups don’t have built-in protections against this type of tampering. To mitigate this risk, consider enabling the ‘Entra roles can be assigned to this group’ setting. This elevates the security required to modify these groups, allowing only global admins or privileged role admins to make changes. Another layer of protection is using admin units, which can be used as a safety barrier to group users and restrict management access, helping to ensure only authorised personnel can make changes to these sensitive groups.
Top Tip: Protect Conditional Access groups by elevating security through role assignments and admin units.
Mistake 5: Lacking a Proper Framework
The most pervasive mistake is the absence of a structured, scalable framework for managing Conditional Access policies. Organisations often start with a small number of policies, which then grow uncontrollably, leading to a tangled web of exceptions and inconsistencies.
We recommend adopting an organised, persona-based structure, such as Conditional Access for Zero Trust. This framework breaks down policies into manageable, scalable components, allowing for persona-based security tailored to different user groups (e.g., global admins, internal users, external guests).
By structuring your policies based on specific user needs and security requirements, you can effectively manage exclusions without creating broad, overly permissive policies.
Top Tip: Use a structured Conditional Access framework to ensure scalable, manageable, and secure policy deployment.
Conditional access is deeply integrated with Microsoft Entra ID—the identity provider managing access to apps, data, and communications. Threatscape’s Conditional Access for Zero Trust (CAZT) service provides expert guidance in deploying a scalable conditional access architecture. This architecture strengthens your security posture, closes security gaps, and helps meet compliance requirements. Organisations can rely on Threatscape’s CAZT service to ensure a robust conditional access infrastructure that complies with industry standards and strengthens security.
