Entra ID Conditional Access — the 14-day rollout pattern
Published 06 Jun 2026
· By
Pawan Sharma
· Identity
· 14 min read
Entra ID Conditional Access is the single most important security policy engine in a Microsoft-anchored estate — more impactful than any single Defender plan, and the first thing we tighten in every engagement. This post is the 14-day rollout pattern: emergency-access setup, baseline policy library, phishing-resistant MFA for admins, Sign-in Risk-Based enforcement, Token Protection. Plus the seven CA mistakes we audit-find most often.
Entra P1 / P2
Licensing
P1 = Conditional Access. P2 = Sign-in Risk + ID Protection + PIM.
14 days
Standard rollout
Break-glass → baseline → enforce → phishing-resistant admins.
99.9%
Microsoft published
Sign-in attack risk reduction from MFA. CA enforces it at the right places.
Phishing-resistant
FIDO2 / WHfB / passkeys
Required for admins + crown-jewel apps. CA enforces strength.
The baseline policy library — 8 policies every tenant needs
| Policy | Scope | Action |
|---|---|---|
| 1. Require MFA for all users | All users (except break-glass + service identities) | Require MFA |
| 2. Require phishing-resistant MFA for admins | All directory + privileged roles | Require authentication strength: phishing-resistant |
| 3. Block legacy authentication | All users (except break-glass) | Block (POP/IMAP/SMTP auth + other legacy protocols) |
| 4. Require compliant + hybrid-joined device | All users on M365 + Defender XDR apps | Require device compliance + hybrid-join |
| 5. Block from non-corporate device / network | Crown-jewel apps (ERP, HRMS, finance) | Block from non-compliant + non-network |
| 6. High Sign-in Risk → block | All users (P2 required) | Block |
| 7. Medium Sign-in Risk → require MFA + password change | All users (P2 required) | Require MFA, then password change |
| 8. B2B guest MFA + session limits | All guests | Require MFA + session 8-hour sign-in frequency |
The 14-day rollout pattern
Days 1-3 — Emergency access (break-glass) accounts
Create 2 cloud-only emergency accounts; permanent Global Administrator role; complex passwords stored in sealed safe; excluded from ALL Conditional Access policies; Sentinel alert on any sign-in. Quarterly fire-drill test.
Days 4-7 — Baseline policies in report-only
Policies 1, 3, 4, 8 in report-only mode. Watch sign-in logs for who would have been blocked. Identify legacy auth holdouts (typically: scanner / printer / on-prem mailbox client) + remediate or carve specific exemptions.
Days 8-10 — Flip to enforce
Baseline policies enforced. Monitor support tickets for first 48 hours; the legacy-auth ticket spike is the signal you missed an exemption. Reduce policy scope if needed; never reduce by disabling the whole policy.
Days 11-14 — Phishing-resistant + Sign-in Risk + Token Protection
Policy 2 (phishing-resistant MFA for admins) — issue FIDO2 keys / enable Windows Hello for Business. Policies 6 + 7 (P2 Risk-Based). Token Protection on M365 apps. PIM enrolment for all directory + privileged roles.
The 7 CA mistakes we audit-find most often
▸ 1. No break-glass accounts
Or break-glass excluded only from MFA policy but included in others — single CA policy change can lock out the tenant.
▸ 2. MFA covers users but not admins
Admin role MFA exclusion for "convenience" — the exact opposite of zero-trust.
▸ 3. Legacy authentication open
Even with modern auth required, POP/IMAP/SMTP basic auth still allowed on at least one mailbox — and that's the one attackers find.
▸ 4. Service principals + workload identities unmonitored
CA doesn't apply to service-principal sign-ins by default. Workload Identity Premium add-on closes this gap.
▸ 5. Guests inherit member privileges
Cross-Tenant Access Settings left default. Guests bypass MFA because their home tenant claimed MFA. Trust ours, not theirs.
▸ 6. No Risk-Based policies despite owning P2
Sign-in Risk + User Risk policies licensed but disabled. The single highest-signal trigger left dormant.
▸ 7. Token Protection not enabled where supported
Token-theft replay attacks are the 2025-2026 frontier; Token Protection is the defence.
PIM + Privileged Access Workstation — the next layer
Once CA baseline is in
Privileged Identity Management + PAW for admin roles
PIM converts standing-privileged roles to just-in-time activation with MFA challenge + justification + approval workflow + auditable trail. Combine with Privileged Access Workstations (PAW) — dedicated, locked-down devices for admin work, kept separate from email + web browsing endpoints. The combination is what mature Microsoft-anchored estates run at the privileged tier. Ogma rolls these out as the layer-2 after CA baseline.
FAQ
Is Entra ID P2 mandatory for Conditional Access?
Where does Conditional Access fit relative to MFA?
Phishing-resistant authentication — FIDO2 / passkeys / WHfB — how does it fit in?
What about contractors / vendors / B2B guests?
Break-glass accounts — how do we exclude safely?
Token theft + replay — how do we defend?
How does CA tie back to DPDP / RBI / CERT-In compliance?
What's a good 14-day Conditional Access rollout?
Free Entra Conditional Access audit + remediation plan
Identify your CA policy gaps, missing risk-based controls, and break-glass posture in 5 working days
Ogma audits your Entra CA policy library against the 8-policy baseline + 7-mistake checklist, returns a prioritised remediation plan, and runs the 14-day rollout if you choose to proceed. INR + GST quote tied to your seat count.
Request the CA audit or explore the Entra ID landingSources
Related: Defender XDR vs CrowdStrike · E5 Security bundle math · 5 mistakes Indian buyers make
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
