How to Set Up Secure Intune Conditional Access Policies

Before configuring any Conditional Access policies, you need break-glass accounts to prevent lockouts. These accounts bypass all Conditional Access policies and provide emergency administrative access.

Navigate to the Microsoft Entra admin center at https://entra.microsoft.com and go to Identity > Users > All users.

Click New user and create two dedicated accounts:

Account 1: emergency-access-1@yourdomain.com
Account 2: emergency-access-2@yourdomain.com

Generate strong passwords (minimum 16 characters) and store them in a secure physical location separate from digital storage. Assign Global Administrator roles to both accounts.

Create a security group for these accounts:

Name: Emergency Access Accounts
Type: Security
Members: Both emergency accounts

Conditional Access relies on device compliance status. You need working compliance policies before creating Conditional Access rules.

Open the Microsoft Intune admin center at https://intune.microsoft.com and navigate to Endpoint security > Device compliance > Policies.

Click Create policy and select your platform (Windows 10/11 for this example):

{
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordComplexity": "required",
  "deviceSecurityEncryption": true,
  "firewallEnabled": true,
  "osMinimumVersion": "10.0.19041",
  "defenderEnabled": true
}

Configure these essential requirements:

• Password: Minimum 8 characters with complexity
• Encryption: BitLocker enabled
• Firewall: Windows Defender Firewall active
• OS Version: Windows 10 build 19041 or later
• Antimalware: Windows Defender running

Set Actions for noncompliance to mark device as noncompliant immediately. Assign the policy to your device groups.

This is your foundational policy requiring compliant devices for corporate resource access. Navigate to Protection > Conditional Access > Policies in the Microsoft Entra admin center.

Click New policy and configure:

Policy Name: Require Compliant Device for Corporate Apps

Assignments - Users:

Include: All users
Exclude: Emergency Access Accounts group

Assignments - Cloud apps:

Include: All cloud apps
(Alternative: Select specific apps like Office 365, SharePoint)

Conditions - Device platforms:

Configure: Yes
Include: Windows, macOS, iOS, Android

Access Controls - Grant:

Grant access: Selected
✓ Require device to be marked as compliant
✓ Require multifactor authentication
Require all selected controls: Selected

Click Create to save the policy.

If you have Azure AD Premium P2 licenses, create risk-based policies to block suspicious sign-ins. This requires Identity Protection features.

Create a new Conditional Access policy with these settings:

Policy Name: Block High-Risk Sign-Ins

Assignments - Users:

Include: All users
Exclude: Emergency Access Accounts

Assignments - Cloud apps:

Include: All cloud apps

Conditions - Sign-in risk:

Configure: Yes
Select risk levels: Medium, High

Access Controls - Grant:

Grant access: Selected
✓ Require multifactor authentication
✓ Require password change
Require all selected controls: Selected

This policy triggers when Microsoft's machine learning detects risky sign-in patterns like:

• Impossible travel (sign-ins from distant locations)
• Anonymous IP addresses (Tor, VPN)
• Unfamiliar sign-in properties
• Malware-linked IP addresses

Before enabling enforcement, thoroughly test your policies using Microsoft's What If simulation tool. Navigate to Conditional Access > What If.

Test Scenario 1 - Compliant Device:

User: test-user@yourdomain.com
Cloud app: Office 365
Device platform: Windows
Device state: Compliant
IP address: Corporate network IP
Expected: Grant access

Test Scenario 2 - Non-Compliant Device:

User: test-user@yourdomain.com
Cloud app: Office 365
Device platform: iOS
Device state: Non-compliant
IP address: External IP
Expected: Block access or require MFA

Test Scenario 3 - Emergency Account:

User: emergency-access-1@yourdomain.com
Cloud app: Any
Device state: Any
Expected: Always grant (excluded from policies)

Run each scenario and verify the results match your expectations. The tool shows which policies would apply and what actions would be taken.

With policies in report-only mode, monitor their impact for at least one week. Navigate to Monitoring > Sign-in logs in the Microsoft Entra admin center.

Filter the logs to focus on your policies:

Filter options:
- Conditional Access: Select your policy names
- Status: All
- Date range: Last 7 days

Look for these key indicators:

• Report-only entries: Shows what would have happened
• Blocked users: Legitimate users who would be affected
• MFA prompts: Additional authentication requirements
• Compliance issues: Devices marked non-compliant

Export the data for analysis:

# PowerShell to export sign-in logs
Connect-MgGraph -Scopes "AuditLog.Read.All"

$logs = Get-MgAuditLogSignIn -Filter "createdDateTime ge 2026-03-12" -All
$logs | Where-Object {$_.ConditionalAccessStatus -eq "reportOnlyInterrupted"} | Export-Csv "ca-impact.csv"

Review the exported data to identify:

• Users who would be blocked inappropriately
• Devices that need compliance remediation
• Applications requiring policy adjustments

After monitoring and addressing any issues found during the report-only phase, enable policy enforcement. Return to Conditional Access > Policies.

For each policy you want to enable:

1. Click the policy name
2. Click Edit
3. Change Enable policy from Report-only to On
4. Click Save

Enable policies in this recommended order:

1. Device compliance policy (lowest risk)
2. Location-based policies (if configured)
3. Risk-based policies (highest impact)

Use PowerShell for bulk policy enablement:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Get policies in report-only mode
$policies = Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.State -eq "enabledForReportingButNotEnforced"}

# Enable each policy (review list first!)
foreach ($policy in $policies) {
    Write-Host "Enabling policy: $($policy.DisplayName)"
    Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.Id -State "enabled"
}

Implement continuous monitoring to detect policy issues and security events. Configure alerts for critical scenarios.

Create Azure Monitor Workbook for Conditional Access:

Navigate to Azure Monitor > Workbooks > New and add these queries:

// Failed sign-ins due to Conditional Access
SigninLogs
| where TimeGenerated > ago(24h)
| where ConditionalAccessStatus == "failure"
| summarize count() by UserPrincipalName, AppDisplayName, ConditionalAccessPolicies
| order by count_ desc

// Emergency account usage (should be rare)
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName contains "emergency-access"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, RiskLevelDuringSignIn

Configure Alert Rules:

In Azure Monitor > Alerts, create these critical alerts:

{
  "alertName": "Emergency Account Usage",
  "condition": "SigninLogs | where UserPrincipalName contains 'emergency-access'",
  "threshold": "Any usage",
  "action": "Email security team immediately"
}

{
  "alertName": "High Volume CA Blocks",
  "condition": "ConditionalAccessStatus == 'failure'",
  "threshold": ">50 failures in 1 hour",
  "action": "Email IT operations team"
}

Weekly Review Process:

• Review sign-in logs for unusual patterns
• Check device compliance rates
• Verify emergency accounts remain functional
• Update policies based on new threats