ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Set Up Secure Intune Conditional Access Policies

How to Set Up Secure Intune Conditional Access Policies

Configure Microsoft Intune Conditional Access policies to protect organizational resources with device compliance, risk-based controls, and emergency access safeguards.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 19, 2026 15 min 0
mediumconditional-access 8 steps 15 min

Why Implement Secure Conditional Access Policies?

Microsoft Intune Conditional Access policies serve as your organization's digital security checkpoint, controlling who can access corporate resources and under what conditions. With the rise of remote work and BYOD policies, traditional perimeter-based security models have become insufficient. Conditional Access provides a modern, risk-based approach to access control that adapts to user behavior, device compliance, and threat intelligence.

What Makes Conditional Access Policies Secure in 2026?

Recent security research has exposed vulnerabilities in poorly configured Conditional Access implementations, particularly around device compliance bypasses and emergency access procedures. The 2026 security landscape demands enhanced monitoring, proper emergency access controls, and integration with Microsoft's Continuous Access Evaluation (CAE) engine for real-time policy enforcement.

This tutorial addresses these challenges by implementing defense-in-depth strategies, including device compliance verification, risk-based authentication, and comprehensive monitoring. You'll learn to configure policies that protect against both external threats and insider risks while maintaining user productivity.

What Will You Achieve?

By following this guide, you'll establish a robust Conditional Access framework that requires device compliance for corporate resource access, implements risk-based controls for suspicious sign-ins, and maintains emergency access procedures. The configuration includes proper testing methodologies, monitoring dashboards, and alert systems to ensure ongoing security effectiveness without disrupting legitimate business operations.

Related: How to Enable Tamper Protection for Your Organization Using

Related: Block USB Drives Using Microsoft Intune Attack Surface

Related: How to Fix Secure Boot Certificate Expiry Error 65000 in

Related: Set Up Windows LAPS with Microsoft Intune for Enhanced

Implementation Guide

Full Procedure

01

Create Emergency Access Accounts

Before configuring any Conditional Access policies, you need break-glass accounts to prevent lockouts. These accounts bypass all Conditional Access policies and provide emergency administrative access.

Navigate to the Microsoft Entra admin center at https://entra.microsoft.com and go to Identity > Users > All users.

Click New user and create two dedicated accounts:

Account 1: emergency-access-1@yourdomain.com
Account 2: emergency-access-2@yourdomain.com

Generate strong passwords (minimum 16 characters) and store them in a secure physical location separate from digital storage. Assign Global Administrator roles to both accounts.

Critical: Do NOT enable MFA on emergency accounts. They must bypass all authentication requirements.

Create a security group for these accounts:

Name: Emergency Access Accounts
Type: Security
Members: Both emergency accounts

Verification: Sign in with one emergency account to confirm access works before proceeding.

02

Configure Intune Device Compliance Policies

Conditional Access relies on device compliance status. You need working compliance policies before creating Conditional Access rules.

Open the Microsoft Intune admin center at https://intune.microsoft.com and navigate to Endpoint security > Device compliance > Policies.

Click Create policy and select your platform (Windows 10/11 for this example):

{
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordComplexity": "required",
  "deviceSecurityEncryption": true,
  "firewallEnabled": true,
  "osMinimumVersion": "10.0.19041",
  "defenderEnabled": true
}

Configure these essential requirements:

  • Password: Minimum 8 characters with complexity
  • Encryption: BitLocker enabled
  • Firewall: Windows Defender Firewall active
  • OS Version: Windows 10 build 19041 or later
  • Antimalware: Windows Defender running

Set Actions for noncompliance to mark device as noncompliant immediately. Assign the policy to your device groups.

Pro tip: Create separate compliance policies for each platform (Windows, iOS, Android, macOS) with platform-specific requirements.

Verification: Check a test device shows as compliant in Devices > All devices after policy assignment.

03

Create Device Compliance Conditional Access Policy

This is your foundational policy requiring compliant devices for corporate resource access. Navigate to Protection > Conditional Access > Policies in the Microsoft Entra admin center.

Click New policy and configure:

Policy Name: Require Compliant Device for Corporate Apps

Assignments - Users:

Include: All users
Exclude: Emergency Access Accounts group

Assignments - Cloud apps:

Include: All cloud apps
(Alternative: Select specific apps like Office 365, SharePoint)

Conditions - Device platforms:

Configure: Yes
Include: Windows, macOS, iOS, Android

Access Controls - Grant:

Grant access: Selected
✓ Require device to be marked as compliant
✓ Require multifactor authentication
Require all selected controls: Selected
Critical: Set Enable policy to Report-only initially. Monitor for 7-14 days before enabling enforcement.

Click Create to save the policy.

Verification: Use the What If tool to test policy impact with different user/device scenarios before enabling.

04

Configure Sign-In Risk Policy (Premium P2)

If you have Azure AD Premium P2 licenses, create risk-based policies to block suspicious sign-ins. This requires Identity Protection features.

Create a new Conditional Access policy with these settings:

Policy Name: Block High-Risk Sign-Ins

Assignments - Users:

Include: All users
Exclude: Emergency Access Accounts

Assignments - Cloud apps:

Include: All cloud apps

Conditions - Sign-in risk:

Configure: Yes
Select risk levels: Medium, High

Access Controls - Grant:

Grant access: Selected
✓ Require multifactor authentication
✓ Require password change
Require all selected controls: Selected

This policy triggers when Microsoft's machine learning detects risky sign-in patterns like:

  • Impossible travel (sign-ins from distant locations)
  • Anonymous IP addresses (Tor, VPN)
  • Unfamiliar sign-in properties
  • Malware-linked IP addresses

Verification: Test with a VPN connection from an unusual location to trigger risk detection (use a test account).

05

Test Policies with What If Tool

Before enabling enforcement, thoroughly test your policies using Microsoft's What If simulation tool. Navigate to Conditional Access > What If.

Test Scenario 1 - Compliant Device:

User: test-user@yourdomain.com
Cloud app: Office 365
Device platform: Windows
Device state: Compliant
IP address: Corporate network IP
Expected: Grant access

Test Scenario 2 - Non-Compliant Device:

User: test-user@yourdomain.com
Cloud app: Office 365
Device platform: iOS
Device state: Non-compliant
IP address: External IP
Expected: Block access or require MFA

Test Scenario 3 - Emergency Account:

User: emergency-access-1@yourdomain.com
Cloud app: Any
Device state: Any
Expected: Always grant (excluded from policies)

Run each scenario and verify the results match your expectations. The tool shows which policies would apply and what actions would be taken.

Pro tip: Test edge cases like users signing in from mobile browsers, different device states, and various IP locations.

Verification: Document test results and ensure emergency accounts always have access before enabling policies.

06

Monitor Sign-In Logs During Report-Only Phase

With policies in report-only mode, monitor their impact for at least one week. Navigate to Monitoring > Sign-in logs in the Microsoft Entra admin center.

Filter the logs to focus on your policies:

Filter options:
- Conditional Access: Select your policy names
- Status: All
- Date range: Last 7 days

Look for these key indicators:

  • Report-only entries: Shows what would have happened
  • Blocked users: Legitimate users who would be affected
  • MFA prompts: Additional authentication requirements
  • Compliance issues: Devices marked non-compliant

Export the data for analysis:

# PowerShell to export sign-in logs
Connect-MgGraph -Scopes "AuditLog.Read.All"

$logs = Get-MgAuditLogSignIn -Filter "createdDateTime ge 2026-03-12" -All
$logs | Where-Object {$_.ConditionalAccessStatus -eq "reportOnlyInterrupted"} | Export-Csv "ca-impact.csv"

Review the exported data to identify:

  • Users who would be blocked inappropriately
  • Devices that need compliance remediation
  • Applications requiring policy adjustments
Common mistake: Enabling enforcement too quickly without adequate monitoring. Always allow 7-14 days of report-only data collection.

Verification: Confirm no critical business processes would be disrupted before enabling enforcement.

07

Enable Policy Enforcement

After monitoring and addressing any issues found during the report-only phase, enable policy enforcement. Return to Conditional Access > Policies.

For each policy you want to enable:

  1. Click the policy name
  2. Click Edit
  3. Change Enable policy from Report-only to On
  4. Click Save

Enable policies in this recommended order:

1. Device compliance policy (lowest risk)
2. Location-based policies (if configured)
3. Risk-based policies (highest impact)

Use PowerShell for bulk policy enablement:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Get policies in report-only mode
$policies = Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.State -eq "enabledForReportingButNotEnforced"}

# Enable each policy (review list first!)
foreach ($policy in $policies) {
    Write-Host "Enabling policy: $($policy.DisplayName)"
    Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.Id -State "enabled"
}
Pro tip: Enable policies during low-usage hours and have your IT support team ready to assist users with any access issues.

Verification: Test access with various user accounts and device types to confirm policies work as expected without blocking legitimate access.

08

Set Up Ongoing Monitoring and Alerts

Implement continuous monitoring to detect policy issues and security events. Configure alerts for critical scenarios.

Create Azure Monitor Workbook for Conditional Access:

Navigate to Azure Monitor > Workbooks > New and add these queries:

// Failed sign-ins due to Conditional Access
SigninLogs
| where TimeGenerated > ago(24h)
| where ConditionalAccessStatus == "failure"
| summarize count() by UserPrincipalName, AppDisplayName, ConditionalAccessPolicies
| order by count_ desc
// Emergency account usage (should be rare)
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName contains "emergency-access"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, RiskLevelDuringSignIn

Configure Alert Rules:

In Azure Monitor > Alerts, create these critical alerts:

{
  "alertName": "Emergency Account Usage",
  "condition": "SigninLogs | where UserPrincipalName contains 'emergency-access'",
  "threshold": "Any usage",
  "action": "Email security team immediately"
}
{
  "alertName": "High Volume CA Blocks",
  "condition": "ConditionalAccessStatus == 'failure'",
  "threshold": ">50 failures in 1 hour",
  "action": "Email IT operations team"
}

Weekly Review Process:

  • Review sign-in logs for unusual patterns
  • Check device compliance rates
  • Verify emergency accounts remain functional
  • Update policies based on new threats

Verification: Test alert triggers by using an emergency account or creating a test failure scenario to ensure notifications work.

Frequently Asked Questions

What happens if I accidentally lock myself out with Conditional Access policies?+
Use your emergency access accounts (break-glass accounts) that should be excluded from all Conditional Access policies. These accounts have Global Administrator privileges and can modify or disable problematic policies. Always create and test emergency accounts before implementing any Conditional Access policies. If you don't have emergency accounts, contact Microsoft support for assistance with account recovery.
How long should I run policies in report-only mode before enabling enforcement?+
Microsoft recommends monitoring policies in report-only mode for at least 7-14 days to capture various user scenarios and access patterns. This period allows you to identify legitimate users who might be blocked, devices that need compliance remediation, and applications requiring policy adjustments. For critical business applications, consider extending the monitoring period to 30 days to capture monthly usage patterns.
Can Conditional Access policies prevent new devices from enrolling in Intune?+
No, properly configured device compliance policies do not block Intune enrollment. The 'Require device to be marked as compliant' control allows devices to enroll even when non-compliant, then enforces compliance after enrollment. However, other Conditional Access policies (like location-based or app-based policies) might interfere with enrollment if they block access to the Company Portal or enrollment services.
What's the difference between Azure AD Premium P1 and P2 for Conditional Access?+
Azure AD Premium P1 includes basic Conditional Access policies for device compliance, location, and application controls. Premium P2 adds Identity Protection features including risk-based policies that can detect and respond to sign-in risks (impossible travel, anonymous IP addresses) and user risks (compromised credentials). P2 also includes access reviews, privileged identity management, and advanced security reports.
How do I troubleshoot users who can't access applications after enabling Conditional Access?+
Start by checking the sign-in logs in Microsoft Entra admin center under Monitoring > Sign-in logs. Filter by the affected user and look for Conditional Access failure reasons. Common issues include non-compliant devices (check Intune compliance status), missing MFA registration (verify authentication methods), or being in an excluded group. Use the What If tool to simulate the user's scenario and identify which policies are blocking access.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#conditional-access#intune#azure-ad

Further Intelligence

Deepen your knowledge with related resources

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive
How to Configure Outlook Auto-Login using Microsoft Intune Settings Catalog
tutorial
Cloud Computing

How to Configure Outlook Auto-Login using Microsoft Intune Settings Catalog

Deep Dive
How to Set Up Secure Intune Conditional Access Policies
tutorial
Cybersecurity

How to Set Up Secure Intune Conditional Access Policies

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...