Now Reading: Your Conditional Access Policy Has Trust Issues: We Need To Talk
-
01
Your Conditional Access Policy Has Trust Issues: We Need To Talk
1
00:00:00,000 –> 00:00:01,680
It’s not misbehaving, it’s overwhelmed.
2
00:00:01,680 –> 00:00:03,560
Your conditional access is trying to protect you
3
00:00:03,560 –> 00:00:06,600
while juggling mixed messages and unresolved exceptions.
4
00:00:06,600 –> 00:00:08,280
It’s been asked to trust without boundaries.
5
00:00:08,280 –> 00:00:09,080
Here’s the plan.
6
00:00:09,080 –> 00:00:11,720
We’ll diagnose three trust wounds, overbroad exclusions,
7
00:00:11,720 –> 00:00:13,960
device compliance gaps and token theft paths,
8
00:00:13,960 –> 00:00:16,360
and give you a calming baseline, a safe test plan,
9
00:00:16,360 –> 00:00:17,680
and monitoring alerts.
10
00:00:17,680 –> 00:00:19,360
If you’re running a law by default,
11
00:00:19,360 –> 00:00:22,400
you’re leaking trust and inviting silent bypasses.
12
00:00:22,400 –> 00:00:23,920
There’s a mistake that locks out everyone
13
00:00:23,920 –> 00:00:26,480
and one that leaves attackers invisible, both are fixable.
14
00:00:26,480 –> 00:00:28,160
Let’s help it set healthy boundaries
15
00:00:28,160 –> 00:00:31,840
so it can find its rhythm again, starting with exclusions.
16
00:00:31,840 –> 00:00:34,440
Diagnosed trust wound number one, overbroad exclusions.
17
00:00:34,440 –> 00:00:35,880
Exclusions feel kind.
18
00:00:35,880 –> 00:00:38,160
You didn’t want to stress the system or the people in it
19
00:00:38,160 –> 00:00:41,840
so you carved out break glass VIPs and that partner domain,
20
00:00:41,840 –> 00:00:43,120
but boundaries drift.
21
00:00:43,120 –> 00:00:45,160
The exceptions harden and conditional access
22
00:00:45,160 –> 00:00:46,320
starts doubting itself.
23
00:00:46,320 –> 00:00:48,840
It’s not misbehaving, it’s living with an ever-growing list
24
00:00:48,840 –> 00:00:51,880
of not you, not now, and that invites bypasses attackers
25
00:00:51,880 –> 00:00:52,720
a door.
26
00:00:52,720 –> 00:00:54,920
The thing most people miss is that exclusions
27
00:00:54,920 –> 00:00:57,000
are invisible in day-to-day flow.
28
00:00:57,000 –> 00:00:58,040
You won’t see a banner that says
29
00:00:58,040 –> 00:01:00,240
we skipped protection for the CFO.
30
00:01:00,240 –> 00:01:02,560
You’ll just see not applied in a log and that’s it.
31
00:01:02,560 –> 00:01:03,840
So we start by mapping scope.
32
00:01:03,840 –> 00:01:06,880
List every exclusion across users, groups, applications,
33
00:01:06,880 –> 00:01:09,360
locations, and authentication contexts.
34
00:01:09,360 –> 00:01:11,320
Nested groups are the quiet leakers here.
35
00:01:11,320 –> 00:01:14,400
What looked like one exception is actually five layers deep,
36
00:01:14,400 –> 00:01:16,280
including contractors, test accounts,
37
00:01:16,280 –> 00:01:18,360
and legacy sync artifacts.
38
00:01:18,360 –> 00:01:21,240
This clicked for me when I pulled a tenants, sign in logs,
39
00:01:21,240 –> 00:01:23,880
and filtered for conditional access, not applied.
40
00:01:23,880 –> 00:01:25,320
The pattern wasn’t random.
41
00:01:25,320 –> 00:01:27,480
Most bypasses sourced from two places.
42
00:01:27,480 –> 00:01:29,800
A VIP group attached to three policies
43
00:01:29,800 –> 00:01:32,720
and a named location that had grown from one corporate CIDR
44
00:01:32,720 –> 00:01:35,880
to anywhere our vendor might be.
45
00:01:35,880 –> 00:01:37,080
It wasn’t malice.
46
00:01:37,080 –> 00:01:38,160
It was comfort.
47
00:01:38,160 –> 00:01:41,760
The policy was trying to keep the piece by saying yes too often.
48
00:01:41,760 –> 00:01:42,840
Here’s the better pattern.
49
00:01:42,840 –> 00:01:47,680
Move from exclude VIPs to include all and authorize exceptions
50
00:01:47,680 –> 00:01:49,840
through time-bound authentication context.
51
00:01:49,840 –> 00:01:51,680
That shift sets healthy boundaries.
52
00:01:51,680 –> 00:01:54,920
You keep policies broad and inclusive, all users, all cloud apps,
53
00:01:54,920 –> 00:01:57,280
and when someone truly needs to step around the control,
54
00:01:57,280 –> 00:01:59,280
they request the emergency context, which
55
00:01:59,280 –> 00:02:02,080
has approval of one hour lifetime and audit trails.
56
00:02:02,080 –> 00:02:04,760
The trust becomes explicit, visible, and short-lived.
57
00:02:04,760 –> 00:02:06,760
Let me show you exactly how to see your leaks.
58
00:02:06,760 –> 00:02:09,720
In enter a sign-in logs, add columns for conditional access,
59
00:02:09,720 –> 00:02:12,040
policy name, result, and details.
60
00:02:12,040 –> 00:02:13,280
Filter result for not applied.
61
00:02:13,280 –> 00:02:16,400
Now slice by user, then by app, and finally by location.
62
00:02:16,400 –> 00:02:18,240
You’re looking for clusters not one-offs,
63
00:02:18,240 –> 00:02:20,520
the big red flags, permanent exclusions
64
00:02:20,520 –> 00:02:23,960
for executives or service accounts, entire federated domains
65
00:02:23,960 –> 00:02:25,960
are hard to save and named locations that
66
00:02:25,960 –> 00:02:28,680
mix trusted with convenience networks.
67
00:02:28,680 –> 00:02:30,800
If you remember nothing else, remember this.
68
00:02:30,800 –> 00:02:33,440
A permanent exclusion is a permanent invitation.
69
00:02:33,440 –> 00:02:36,240
What should the policy logic feel like before and after?
70
00:02:36,240 –> 00:02:37,200
Before.
71
00:02:37,200 –> 00:02:40,280
Multiple policies with include groups and broad exclude lists,
72
00:02:40,280 –> 00:02:43,840
VIPs, breakglas, certain apps, and a safe location.
73
00:02:43,840 –> 00:02:46,840
The engine spends energy deciding who not to protect.
74
00:02:46,840 –> 00:02:49,720
After fewer inclusive policies with no user or location
75
00:02:49,720 –> 00:02:53,120
exclusions, exceptions root via a specific authentication
76
00:02:53,120 –> 00:02:55,480
context presented only when an approver grants it
77
00:02:55,480 –> 00:02:56,640
and it expires quickly.
78
00:02:56,640 –> 00:02:57,560
The engine can breathe.
79
00:02:57,560 –> 00:03:00,360
It protects first, then allows controlled, visible relief
80
00:03:00,360 –> 00:03:00,960
when needed.
81
00:03:00,960 –> 00:03:02,760
Here’s a quick win you can do today.
82
00:03:02,760 –> 00:03:05,840
Create an authentication context called emergency bypass.
83
00:03:05,840 –> 00:03:09,080
Set it with grant controls that still require MFA and device
84
00:03:09,080 –> 00:03:12,200
risk checks and cap session to one hour, add an approval
85
00:03:12,200 –> 00:03:14,320
workflow outside the policy, change ticket,
86
00:03:14,320 –> 00:03:16,960
or documented approver, and log its use weekly.
87
00:03:16,960 –> 00:03:20,040
Now replace hard-coded exclusions in your existing policies
88
00:03:20,040 –> 00:03:22,720
with require authentication context.
89
00:03:22,720 –> 00:03:24,520
Emergency bypass.
90
00:03:24,520 –> 00:03:25,880
You haven’t taken away safety.
91
00:03:25,880 –> 00:03:27,120
You’ve given it a safer shape.
92
00:03:27,120 –> 00:03:28,600
Now here’s where most people mess up.
93
00:03:28,600 –> 00:03:30,400
They exclude an entire partner domain
94
00:03:30,400 –> 00:03:33,000
because one app misbehaved during a rollout,
95
00:03:33,000 –> 00:03:36,920
or they mark a cloud proxy IP range as trusted, forgetting
96
00:03:36,920 –> 00:03:39,400
that attackers can originate from the same provider.
97
00:03:39,400 –> 00:03:42,200
Or they mix excluded locations with named locations.
98
00:03:42,200 –> 00:03:44,520
Assuming the union is safer, it’s not.
99
00:03:44,520 –> 00:03:46,800
It becomes a fuzzy map your policy doesn’t understand.
100
00:03:46,800 –> 00:03:49,720
With clearer lines, CA can find its rhythm again.
101
00:03:49,720 –> 00:03:52,120
Common mistake number two is forgetting service principles
102
00:03:52,120 –> 00:03:53,760
and workload identities.
103
00:03:53,760 –> 00:03:56,400
If your policies only target users and groups,
104
00:03:56,400 –> 00:03:59,160
your automation can glide under the radar.
105
00:03:59,160 –> 00:04:02,240
Instead, use dedicated policies for service principles
106
00:04:02,240 –> 00:04:05,200
and workload identities and never rely on exclusions
107
00:04:05,200 –> 00:04:07,240
to fix automation friction.
108
00:04:07,240 –> 00:04:09,520
Help it heal by aligning scopes, users, guests,
109
00:04:09,520 –> 00:04:11,480
and identities each get coverage.
110
00:04:11,480 –> 00:04:12,520
A micro story.
111
00:04:12,520 –> 00:04:14,560
Last week, a team removed a VIP exclusion
112
00:04:14,560 –> 00:04:15,960
that had lived for two years.
113
00:04:15,960 –> 00:04:17,640
They replaced it with emergency bypass
114
00:04:17,640 –> 00:04:20,560
and scheduled a weekly review of not applied sign-ins.
115
00:04:20,560 –> 00:04:23,080
Within two days, they found a legacy sync account
116
00:04:23,080 –> 00:04:25,720
silently logging in from an unmanaged network.
117
00:04:25,720 –> 00:04:27,440
No MFA, no device checks.
118
00:04:27,440 –> 00:04:28,400
It wasn’t evil.
119
00:04:28,400 –> 00:04:30,560
It was a forgotten comfort blanket.
120
00:04:30,560 –> 00:04:33,040
And once it was named, the fix was simple,
121
00:04:33,040 –> 00:04:35,080
assigned to a managed identity pattern
122
00:04:35,080 –> 00:04:36,120
and bring it under policy.
123
00:04:36,120 –> 00:04:37,360
And the reason this works is simple,
124
00:04:37,360 –> 00:04:39,520
inclusive scopes reduce cognitive load.
125
00:04:39,520 –> 00:04:42,680
Authentication context replaces permanence with intention
126
00:04:42,680 –> 00:04:45,200
and logs become meaningful because every not applied
127
00:04:45,200 –> 00:04:46,800
means something actionable.
128
00:04:46,800 –> 00:04:49,120
Your conditional access isn’t trying to be difficult.
129
00:04:49,120 –> 00:04:52,000
It just needs you to stop asking it to ignore its own rules.
130
00:04:52,000 –> 00:04:53,320
With gentler, firmer boundaries,
131
00:04:53,320 –> 00:04:56,880
it can protect everyone, equally, predictably, audibly.
132
00:04:56,880 –> 00:04:58,480
Once exclusion stop leaking,
133
00:04:58,480 –> 00:05:00,960
the device boundary needs care next.
134
00:05:00,960 –> 00:05:03,960
Diagnosed trust, wound number two, device compliance gaps.
135
00:05:03,960 –> 00:05:05,440
Your device boundary is tired.
136
00:05:05,440 –> 00:05:06,800
It’s been asked to trust badges.
137
00:05:06,800 –> 00:05:09,320
It can’t verify and signals that arrive late.
138
00:05:09,320 –> 00:05:11,600
Require a compliant device sound soothing,
139
00:05:11,600 –> 00:05:14,280
but without clarity, it swings between over permissive
140
00:05:14,280 –> 00:05:15,120
and overprotective.
141
00:05:15,120 –> 00:05:17,360
And that’s why people get blocked on a clean laptop
142
00:05:17,360 –> 00:05:19,320
while an unmanaged tablet slips through,
143
00:05:19,320 –> 00:05:21,400
it’s not misbehaving, it’s confused.
144
00:05:21,400 –> 00:05:22,240
Why does this matter?
145
00:05:22,240 –> 00:05:24,800
Because device state is identity’s closest friend.
146
00:05:24,800 –> 00:05:27,880
If the state is wrong or missing, your policy guesses.
147
00:05:27,880 –> 00:05:31,080
Gases create silent allowances or mass blocks.
148
00:05:31,080 –> 00:05:34,160
When the device story is clear, conditional access relaxes.
149
00:05:34,160 –> 00:05:36,320
It can give easy paths to healthy devices
150
00:05:36,320 –> 00:05:38,280
and set firmer boundaries everywhere else.
151
00:05:38,280 –> 00:05:42,120
The thing most people miss is that registered is not compliant.
152
00:05:42,120 –> 00:05:45,240
Registered just means the device introduced itself.
153
00:05:45,240 –> 00:05:47,320
Compliant means it met your health rules
154
00:05:47,320 –> 00:05:49,400
in Intune and brought proof today.
155
00:05:49,400 –> 00:05:52,000
Hybrid Azure AD Joint is about identity alignment
156
00:05:52,000 –> 00:05:53,040
with your domain.
157
00:05:53,040 –> 00:05:54,480
They are different kinds of trust.
158
00:05:54,480 –> 00:05:56,320
If you remember nothing else, remember this.
159
00:05:56,320 –> 00:05:58,400
Treat each tier as a distinct promise.
160
00:05:58,400 –> 00:05:59,600
Here’s the model that clicks.
161
00:05:59,600 –> 00:06:01,960
Define four tiers in plain language.
162
00:06:01,960 –> 00:06:07,200
Compliant, Intune evaluates and the device meets your policies.
163
00:06:07,200 –> 00:06:10,120
Hybrid Azure AD Joint Domain Relationship Verified
164
00:06:10,120 –> 00:06:11,720
Device Identity Anchored.
165
00:06:11,720 –> 00:06:14,600
Azure AD Joint Cloud Managed Corporate Device.
166
00:06:14,600 –> 00:06:18,600
Registered BYOD, Personal or Light Touch Enrollment.
167
00:06:18,600 –> 00:06:21,880
Now let’s help it set healthy boundaries with policy design.
168
00:06:21,880 –> 00:06:23,640
Split decisions by device state
169
00:06:23,640 –> 00:06:26,160
rather than hinging everything on one control.
170
00:06:26,160 –> 00:06:29,160
Use filters for devices to target platform or join type
171
00:06:29,160 –> 00:06:30,960
and pair with authentication strengths.
172
00:06:30,960 –> 00:06:33,840
So strong credentials backstop weaker device states.
173
00:06:33,840 –> 00:06:37,360
Don’t ask a single toggle to carry your whole zero trust posture.
174
00:06:37,360 –> 00:06:39,280
What does the better pattern look like?
175
00:06:39,280 –> 00:06:41,760
For productive low friction access on compliant
176
00:06:41,760 –> 00:06:44,920
or Azure AD Joint devices allow with MFA
177
00:06:44,920 –> 00:06:47,200
and apply session controls like sign-in frequency
178
00:06:47,200 –> 00:06:49,280
and continuous access evaluation.
179
00:06:49,280 –> 00:06:52,400
For registered devices, step up with Fishing Resistant MFA
180
00:06:52,400 –> 00:06:55,160
and Limit Data Exposure with App Enforced Restrictions
181
00:06:55,160 –> 00:06:56,640
and Conditional App Control.
182
00:06:56,640 –> 00:07:00,000
For unknown devices, require either a compliant posture
183
00:07:00,000 –> 00:07:01,480
or a high authentication strength
184
00:07:01,480 –> 00:07:03,320
before granting anything sensitive.
185
00:07:03,320 –> 00:07:05,480
And for admin portals, demand both a compliant
186
00:07:05,480 –> 00:07:07,880
or hybrid device and Fishing Resistant credentials.
187
00:07:07,880 –> 00:07:08,800
No device, no keys.
188
00:07:08,800 –> 00:07:11,120
Let me show you exactly how to get signal clarity.
189
00:07:11,120 –> 00:07:13,360
In sign-in logs, add device info columns,
190
00:07:13,360 –> 00:07:16,440
join type, compliant, trust type and operating system.
191
00:07:16,440 –> 00:07:19,840
Add conditional access columns for result and policy details,
192
00:07:19,840 –> 00:07:21,920
filter failures with ground control required,
193
00:07:21,920 –> 00:07:24,920
compliant device and compare against device info.
194
00:07:24,920 –> 00:07:28,160
You’re looking for drift, devices that claim Azure AD joined
195
00:07:28,160 –> 00:07:30,560
but aren’t compliant or registered devices
196
00:07:30,560 –> 00:07:32,560
that succeeded because no fallback existed.
197
00:07:32,560 –> 00:07:35,080
Then flip the lens, filter successes where device
198
00:07:35,080 –> 00:07:38,120
is not compliant and see which policies allow it and why,
199
00:07:38,120 –> 00:07:39,600
a quick win you can do today.
200
00:07:39,600 –> 00:07:41,240
Create a fallback policy.
201
00:07:41,240 –> 00:07:43,800
Scope it to all users and all cloud apps.
202
00:07:43,800 –> 00:07:46,320
Exclude only your emergency access accounts.
203
00:07:46,320 –> 00:07:49,000
Target devices where compliant equals falls
204
00:07:49,000 –> 00:07:51,560
or join type equals registered.
205
00:07:51,560 –> 00:07:54,160
Grant access if the user satisfies a Fishing Resistant
206
00:07:54,160 –> 00:07:55,600
Authentication Strength.
207
00:07:55,600 –> 00:07:58,000
Add session controls to reduce data persistence,
208
00:07:58,000 –> 00:07:59,720
disable persistent browser sessions
209
00:07:59,720 –> 00:08:01,520
and enforce sign-in frequency.
210
00:08:01,520 –> 00:08:03,520
This turns a hard block into a safe step-up
211
00:08:03,520 –> 00:08:06,280
and removes the urge to add risky exclusions.
212
00:08:06,280 –> 00:08:07,800
Now here’s where most people mess up.
213
00:08:07,800 –> 00:08:10,960
They assume registered equals corporate or it doesn’t
214
00:08:10,960 –> 00:08:13,200
or they stamp require compliant device on everything
215
00:08:13,200 –> 00:08:15,120
then watch VIP travel laptops fail
216
00:08:15,120 –> 00:08:17,360
because the compliance signal is stale
217
00:08:17,360 –> 00:08:18,960
or they ignore sign-in frequency.
218
00:08:18,960 –> 00:08:21,160
Letting a compliant check at 9 a.m.
219
00:08:21,160 –> 00:08:22,520
Bless a browser until next week.
220
00:08:22,520 –> 00:08:24,760
The boundary blurs attack us love blurred boundaries.
221
00:08:24,760 –> 00:08:26,240
The reason this works is simple.
222
00:08:26,240 –> 00:08:29,160
With clearer tears, CA doesn’t have to overreact.
223
00:08:29,160 –> 00:08:32,040
It can greet a compliant device with less friction,
224
00:08:32,040 –> 00:08:34,520
ask a registered device to bring stronger proof
225
00:08:34,520 –> 00:08:36,360
and keep unknown devices at arms length.
226
00:08:36,360 –> 00:08:39,000
It’s not rejection, it’s healthy distance.
227
00:08:39,000 –> 00:08:40,920
Let’s anchor with a micro story.
228
00:08:40,920 –> 00:08:42,960
A team saw random admin portal access
229
00:08:42,960 –> 00:08:44,480
from registered MacBooks.
230
00:08:44,480 –> 00:08:46,920
No policy blocked it because require compliant
231
00:08:46,920 –> 00:08:48,520
wasn’t in scope for that app.
232
00:08:48,520 –> 00:08:50,760
They added the fallback with Fishing Resistant Strength
233
00:08:50,760 –> 00:08:53,320
and those same attempts now prompt for a strong key.
234
00:08:53,320 –> 00:08:55,320
Admins move to manage devices within a week
235
00:08:55,320 –> 00:08:57,600
because the boundary was calm and consistent.
236
00:08:57,600 –> 00:08:59,240
Once your device signals feel steady,
237
00:08:59,240 –> 00:09:01,120
we need to close the gap attackers use
238
00:09:01,120 –> 00:09:02,120
after they steal tokens.
239
00:09:02,120 –> 00:09:03,120
That’s next.
240
00:09:03,120 –> 00:09:05,320
Diagnose, trust wound number three.
241
00:09:05,320 –> 00:09:06,920
Token theft scenarios.
242
00:09:06,920 –> 00:09:10,080
When a token gets stolen, conditional access feels unheard.
243
00:09:10,080 –> 00:09:11,480
It’s set boundaries at sign-in,
244
00:09:11,480 –> 00:09:14,040
but the session kept walking without checking back in.
245
00:09:14,040 –> 00:09:16,360
It’s not misbehaving, it’s stuck, honoring a promise
246
00:09:16,360 –> 00:09:17,720
it can’t re-verify.
247
00:09:17,720 –> 00:09:18,760
And attackers know this.
248
00:09:18,760 –> 00:09:19,960
They don’t argue with your MFA.
249
00:09:19,960 –> 00:09:21,160
They borrow your session.
250
00:09:21,160 –> 00:09:21,960
Why this matters?
251
00:09:21,960 –> 00:09:24,080
Once an attacker holds a valid refresh token
252
00:09:24,080 –> 00:09:25,520
or a long-lived session,
253
00:09:25,520 –> 00:09:28,280
your beautiful policies become background noise.
254
00:09:28,280 –> 00:09:31,800
The risk shifts from can they log in to how long can they linger?
255
00:09:31,800 –> 00:09:33,400
If you shorten exposure
256
00:09:33,400 –> 00:09:36,040
and make the session reproof itself under the right conditions,
257
00:09:36,040 –> 00:09:37,040
you take back control.
258
00:09:37,040 –> 00:09:40,840
That’s how your system finds its rhythm again after shock.
259
00:09:40,840 –> 00:09:43,080
The thing most people miss is the difference between
260
00:09:43,080 –> 00:09:45,600
initial authentication and ongoing authorization.
261
00:09:45,600 –> 00:09:46,760
You gated the front door,
262
00:09:46,760 –> 00:09:48,640
but you left the hallway lights on forever.
263
00:09:48,640 –> 00:09:51,240
Sign-in frequency, continuous access evaluation
264
00:09:51,240 –> 00:09:54,080
and contact sensitive re-auth are how we gently ask,
265
00:09:54,080 –> 00:09:55,160
are you still you?
266
00:09:55,160 –> 00:09:56,480
Is this still that device?
267
00:09:56,480 –> 00:09:57,560
Has risk changed?
268
00:09:57,560 –> 00:09:58,680
Here’s the better pattern.
269
00:09:58,680 –> 00:10:00,400
First, reduce exposure windows,
270
00:10:00,400 –> 00:10:02,680
set sign-in frequency for sensitive apps and roles
271
00:10:02,680 –> 00:10:05,240
so tokens must represent proof more often.
272
00:10:05,240 –> 00:10:07,120
Pair that with continuous access evaluation,
273
00:10:07,120 –> 00:10:09,160
so sessions react to changes in risk,
274
00:10:09,160 –> 00:10:11,440
device state password resets and revoke tokens
275
00:10:11,440 –> 00:10:12,520
in near real time.
276
00:10:12,520 –> 00:10:15,280
Second, raise the bar for sensitive actions.
277
00:10:15,280 –> 00:10:17,040
Use authentication context to require
278
00:10:17,040 –> 00:10:19,360
phishing resistant MFA for admin portals,
279
00:10:19,360 –> 00:10:22,120
data export, e-discovery and payment approvals.
280
00:10:22,120 –> 00:10:24,640
Third, bind sessions to more than just a user.
281
00:10:24,640 –> 00:10:26,840
Consider device trust and risk signals,
282
00:10:26,840 –> 00:10:28,600
so stolen tokens don’t travel well.
283
00:10:28,600 –> 00:10:31,440
Let me show you exactly how to build that high sensitivity lane.
284
00:10:31,440 –> 00:10:33,880
Create an authentication context named high sensitivity.
285
00:10:33,880 –> 00:10:36,640
Configure a policy that when this context is required,
286
00:10:36,640 –> 00:10:39,040
demands a phishing resistant authentication strength
287
00:10:39,040 –> 00:10:41,680
and a compliant or hybrid joint device.
288
00:10:41,680 –> 00:10:44,320
Enable continuous access evaluation for the apps
289
00:10:44,320 –> 00:10:46,880
tied to that context and set a short sign-in frequency
290
00:10:46,880 –> 00:10:47,920
hours not days.
291
00:10:47,920 –> 00:10:50,040
Then, tag admin portals and critical apps
292
00:10:50,040 –> 00:10:51,440
to require that context.
293
00:10:51,440 –> 00:10:53,480
The result, an attacker holding a token
294
00:10:53,480 –> 00:10:55,320
from an unmanaged browser can’t reuse it
295
00:10:55,320 –> 00:10:56,840
to touch admin endpoints.
296
00:10:56,840 –> 00:10:59,640
And even if they land a user session, it ages quickly.
297
00:10:59,640 –> 00:11:01,360
A quick win you can do today.
298
00:11:01,360 –> 00:11:04,080
Review, remember MFA or persistent browser settings
299
00:11:04,080 –> 00:11:04,840
for your tenant.
300
00:11:04,840 –> 00:11:06,920
If it’s broad and long, that’s a quiet invitation
301
00:11:06,920 –> 00:11:08,200
to token comfort.
302
00:11:08,200 –> 00:11:10,600
Tighten it for sensitive apps while leaving user-friendly
303
00:11:10,600 –> 00:11:12,320
defaults for low-risk tools.
304
00:11:12,320 –> 00:11:14,120
It’s a karma boundary, not a punishment.
305
00:11:14,120 –> 00:11:15,640
Now here’s where most people mess up.
306
00:11:15,640 –> 00:11:18,280
They enable strong auth once, feel safe,
307
00:11:18,280 –> 00:11:21,400
and forget to scope it to the places that matter most.
308
00:11:21,400 –> 00:11:23,160
Or they ignore token binding entirely,
309
00:11:23,160 –> 00:11:25,280
letting a refreshed token row between devices
310
00:11:25,280 –> 00:11:27,040
and networks without consequence.
311
00:11:27,040 –> 00:11:29,400
Or they fail to react to risk high signals,
312
00:11:29,400 –> 00:11:31,160
letting sessions live through a storm.
313
00:11:31,160 –> 00:11:33,280
Those choices don’t feel risky in the moment.
314
00:11:33,280 –> 00:11:35,200
They feel convenient, but they teach your system
315
00:11:35,200 –> 00:11:36,920
to trust a memory, not the present.
316
00:11:36,920 –> 00:11:38,440
Let’s walk the logs together.
317
00:11:38,440 –> 00:11:41,080
In enter sign-in logs add conditional access result,
318
00:11:41,080 –> 00:11:42,680
policy name and details.
319
00:11:42,680 –> 00:11:44,760
Add session lifetime or token information fields
320
00:11:44,760 –> 00:11:47,280
if available plus IP and device info.
321
00:11:47,280 –> 00:11:50,320
You’re looking for reuse patterns, same user,
322
00:11:50,320 –> 00:11:53,480
multiple IPs, short intervals, audit device claims,
323
00:11:53,480 –> 00:11:56,000
filter for sign-ins that succeeded without a CA decision
324
00:11:56,000 –> 00:11:57,520
on apps that should be protected.
325
00:11:57,520 –> 00:12:00,200
Check the CA decision and authentication requirements fields
326
00:12:00,200 –> 00:12:01,400
for sensitive apps.
327
00:12:01,400 –> 00:12:03,640
Do they show strong auth and a recent sign-in
328
00:12:03,640 –> 00:12:05,520
or did a long session slip through?
329
00:12:05,520 –> 00:12:08,040
If you spot repeated access from an unmanaged device
330
00:12:08,040 –> 00:12:10,320
to an admin portal, that’s a sign you haven’t required
331
00:12:10,320 –> 00:12:12,400
the right authentication context there.
332
00:12:12,400 –> 00:12:14,440
A micro story, a team saw export spikes
333
00:12:14,440 –> 00:12:17,840
from a finance app at 2am, same user, different IPs,
334
00:12:17,840 –> 00:12:19,760
same browser string, no MFA prompts
335
00:12:19,760 –> 00:12:21,280
because the session was warm.
336
00:12:21,280 –> 00:12:23,080
They added a high sensitivity context,
337
00:12:23,080 –> 00:12:25,840
set sign-in frequency to four hours, enabled CAE,
338
00:12:25,840 –> 00:12:29,200
and required phishing resistant auth plus compliant device.
339
00:12:29,200 –> 00:12:30,800
The next night, the same pattern hit.
340
00:12:30,800 –> 00:12:32,600
This time, the session re-challenged
341
00:12:32,600 –> 00:12:34,520
and failed on device requirement.
342
00:12:34,520 –> 00:12:35,480
The app slept well.
343
00:12:35,480 –> 00:12:37,040
The reason this works is simple,
344
00:12:37,040 –> 00:12:38,720
we stopped trusting yesterday’s proof.
345
00:12:38,720 –> 00:12:40,520
We asked the session to stay present
346
00:12:40,520 –> 00:12:42,920
on a healthy device with strong credentials
347
00:12:42,920 –> 00:12:44,600
and to respond when risk changes.
348
00:12:44,600 –> 00:12:46,080
That’s not cruelty, that’s care.
349
00:12:46,080 –> 00:12:47,920
And your conditional access can finally exhale
350
00:12:47,920 –> 00:12:49,440
because it knows how to end a relationship
351
00:12:49,440 –> 00:12:52,440
that’s no longer safe and build the calming baseline.
352
00:12:52,440 –> 00:12:54,640
Policies that set healthy boundaries.
353
00:12:54,640 –> 00:12:57,720
Your policy engine needs a simpler home, fewer rules,
354
00:12:57,720 –> 00:12:58,960
clearer lanes.
355
00:12:58,960 –> 00:13:00,920
Blocked by default lowers its anxiety
356
00:13:00,920 –> 00:13:02,560
because every sign in is covered
357
00:13:02,560 –> 00:13:05,240
and there are no quiet gaps that whisper maybe.
358
00:13:05,240 –> 00:13:07,200
We’re going to build five inclusive policies
359
00:13:07,200 –> 00:13:08,080
that work together.
360
00:13:08,080 –> 00:13:10,160
They’re broad on scope, strict on exceptions,
361
00:13:10,160 –> 00:13:11,520
and easy to read in the logs.
362
00:13:11,520 –> 00:13:13,600
And we’ll rely on authentication context
363
00:13:13,600 –> 00:13:16,640
for rare bypasses, not permanent exclusions.
364
00:13:16,640 –> 00:13:18,440
With clearer boundaries, conditional access
365
00:13:18,440 –> 00:13:19,840
can find its rhythm again.
366
00:13:19,840 –> 00:13:21,840
Start with the anchor, all users MFA.
367
00:13:21,840 –> 00:13:23,880
Scope it to all users, all cloud apps,
368
00:13:23,880 –> 00:13:26,080
exclude only your emergency access accounts,
369
00:13:26,080 –> 00:13:27,400
use authentication strength
370
00:13:27,400 –> 00:13:29,320
so you can evolve from classic MFA
371
00:13:29,320 –> 00:13:30,880
to phishing resistant credentials
372
00:13:30,880 –> 00:13:32,600
without rewriting everything.
373
00:13:32,600 –> 00:13:35,560
Grant access with require multi factor authentication
374
00:13:35,560 –> 00:13:37,120
and prefer a defined strength
375
00:13:37,120 –> 00:13:38,840
like phishing resistant, where supported
376
00:13:38,840 –> 00:13:40,680
while allowing a practical baseline strength
377
00:13:40,680 –> 00:13:42,240
for general apps.
378
00:13:42,240 –> 00:13:44,320
Add session controls with sign-in frequency
379
00:13:44,320 –> 00:13:47,360
that fits your environment, shorter for sensitive workloads,
380
00:13:47,360 –> 00:13:48,840
reasonable for collaboration.
381
00:13:48,840 –> 00:13:52,160
This gives universal coverage and a predictable prompt story.
382
00:13:52,160 –> 00:13:54,600
The second lane is unmanaged device step-up.
383
00:13:54,600 –> 00:13:57,520
Same inclusive scope, all users, all cloud apps,
384
00:13:57,520 –> 00:13:59,600
but target devices by state.
385
00:13:59,600 –> 00:14:01,760
Use filters for devices to catch registered
386
00:14:01,760 –> 00:14:03,600
or not compliant or unknown.
387
00:14:03,600 –> 00:14:04,960
Don’t hardblock by default.
388
00:14:04,960 –> 00:14:07,360
Grant access if the user meets a higher authentication
389
00:14:07,360 –> 00:14:08,800
strength and apply session limits
390
00:14:08,800 –> 00:14:10,240
and app enforced restrictions.
391
00:14:10,240 –> 00:14:12,000
Disable persistent browser sessions here
392
00:14:12,000 –> 00:14:14,360
and reduced token lifetimes for these parts.
393
00:14:14,360 –> 00:14:16,640
This keeps personal devices at a respectful distance
394
00:14:16,640 –> 00:14:19,160
without pushing people into risky exclusions.
395
00:14:19,160 –> 00:14:20,800
Third, admin strong auth only.
396
00:14:20,800 –> 00:14:23,440
Scope to privileged, role members and admin portals
397
00:14:23,440 –> 00:14:25,280
require phishing resistant strength
398
00:14:25,280 –> 00:14:28,400
and either a compliant or hybrid joint device.
399
00:14:28,400 –> 00:14:31,520
Add sign-in frequency that’s measured in hours, not days
400
00:14:31,520 –> 00:14:34,120
and ensure continuous access evaluation is effective
401
00:14:34,120 –> 00:14:37,520
for these services, no exceptions, no location carve outs,
402
00:14:37,520 –> 00:14:39,440
no remember me.
403
00:14:39,440 –> 00:14:41,200
This is where you set the firmest boundary.
404
00:14:41,200 –> 00:14:43,160
If an admin session can’t prove device health
405
00:14:43,160 –> 00:14:45,920
and strong credentials, it waits outside.
406
00:14:45,920 –> 00:14:47,960
Fourth, emergency minimal context.
407
00:14:47,960 –> 00:14:50,000
This is your safety valve, not a side door.
408
00:14:50,000 –> 00:14:53,080
Create an authentication context named emergency bypass.
409
00:14:53,080 –> 00:14:54,720
The policy that enforces it requires
410
00:14:54,720 –> 00:14:57,200
MFA at a minimum, records device risk
411
00:14:57,200 –> 00:14:58,800
and shortened session to one hour.
412
00:14:58,800 –> 00:15:02,200
You’ll never exclude users or locations to help in a crisis.
413
00:15:02,200 –> 00:15:04,160
You’ll require them to present this context,
414
00:15:04,160 –> 00:15:06,920
which they can only obtain with approval and a change record.
415
00:15:06,920 –> 00:15:08,040
Every use is auditable.
416
00:15:08,040 –> 00:15:10,240
The boundary bends briefly then straightens.
417
00:15:10,240 –> 00:15:12,400
Fifth, token hygiene and CAE.
418
00:15:12,400 –> 00:15:15,080
Apply a policy set that standardizes sign-in frequency
419
00:15:15,080 –> 00:15:17,000
across critical apps and enables re-oothed
420
00:15:17,000 –> 00:15:18,360
when risk changes.
421
00:15:18,360 –> 00:15:20,320
Pair this with targeted sign-in frequency
422
00:15:20,320 –> 00:15:23,640
for data export systems, finance, HR and admin portals.
423
00:15:23,640 –> 00:15:25,920
Where supported, rely on continuous access evaluation,
424
00:15:25,920 –> 00:15:27,760
so password resets, token revocations
425
00:15:27,760 –> 00:15:29,400
and risk changes cut sessions short.
426
00:15:29,400 –> 00:15:31,880
This policy family keeps sessions present.
427
00:15:31,880 –> 00:15:33,440
It asks them to check in regularly,
428
00:15:33,440 –> 00:15:36,360
so a stolen token doesn’t become a week-long roommate.
429
00:15:36,360 –> 00:15:39,080
Let’s talk implementation flow so the set stays calm.
430
00:15:39,080 –> 00:15:40,880
Template each policy with inclusive scopes
431
00:15:40,880 –> 00:15:42,480
and minimal interdependence.
432
00:15:42,480 –> 00:15:44,800
Prioritize evaluation order by clarity.
433
00:15:44,800 –> 00:15:47,400
Universal MFA first, then device step-up,
434
00:15:47,400 –> 00:15:50,360
then admin controls, then context, then hygiene.
435
00:15:50,360 –> 00:15:52,760
You’re not scripting order, you’re reducing overlap,
436
00:15:52,760 –> 00:15:54,600
so the combined result is obvious.
437
00:15:54,600 –> 00:15:57,720
In policy descriptions, write the intent in plain language.
438
00:15:57,720 –> 00:16:00,320
Baseline MFA for every user and app.
439
00:16:00,320 –> 00:16:03,040
Step-up for unmanaged devices, admins must use
440
00:16:03,040 –> 00:16:05,200
strong auth and managed devices on a sunny day.
441
00:16:05,200 –> 00:16:07,080
Your future self will thank you in the logs.
442
00:16:07,080 –> 00:16:09,280
Here’s a quick win that feels great immediately.
443
00:16:09,280 –> 00:16:13,160
Create the all-cloud apps, require MFA baseline with strengths.
444
00:16:13,160 –> 00:16:14,480
Deploy in report only for a week
445
00:16:14,480 –> 00:16:16,720
while you shadow it with the unmanaged device step-up policy
446
00:16:16,720 –> 00:16:17,760
also report only.
447
00:16:17,760 –> 00:16:21,720
Watch sign-ins move from not applied to MFA would be required
448
00:16:21,720 –> 00:16:24,560
and stronger auth would be required on BYOD.
449
00:16:24,560 –> 00:16:26,720
Fix the noisy edge cases then enforce.
450
00:16:26,720 –> 00:16:28,840
You’ll see coverage jump without chaos.
451
00:16:28,840 –> 00:16:30,160
Now, the mistakes to avoid.
452
00:16:30,160 –> 00:16:32,800
Don’t overlap apps scopes in ways that fight.
453
00:16:32,800 –> 00:16:36,400
All-cloud apps plus specific admin portals is fine,
454
00:16:36,400 –> 00:16:39,040
but two different all-cloud apps with conflicting grants
455
00:16:39,040 –> 00:16:40,520
will produce odd results.
456
00:16:40,520 –> 00:16:43,920
Don’t mix user exclusions with context-based exceptions.
457
00:16:43,920 –> 00:16:46,640
Pick context so the audit trail is clean.
458
00:16:46,640 –> 00:16:49,400
Don’t forget service accounts and workload identities.
459
00:16:49,400 –> 00:16:52,280
Give them dedicated policies that require managed identities
460
00:16:52,280 –> 00:16:53,680
or certificate-based flows
461
00:16:53,680 –> 00:16:56,480
and explicitly block interactive sign-in for them.
462
00:16:56,480 –> 00:16:58,040
Before and after matters.
463
00:16:58,040 –> 00:17:01,120
Before 10 narrow policies each with their own include groups
464
00:17:01,120 –> 00:17:03,960
and long exclude lists, inconsistent grant controls
465
00:17:03,960 –> 00:17:05,120
and special locations.
466
00:17:05,120 –> 00:17:08,440
After five larger policies with inclusive scopes,
467
00:17:08,440 –> 00:17:11,120
no permanent exclusions and one place,
468
00:17:11,120 –> 00:17:13,920
authentication context for controlled bypass,
469
00:17:13,920 –> 00:17:16,320
the engine stops juggling and starts protecting.
470
00:17:16,320 –> 00:17:18,000
The log stop whispering not applied
471
00:17:18,000 –> 00:17:20,920
and starts stating MFA required, strong auth required
472
00:17:20,920 –> 00:17:22,320
or blocked until healthier.
473
00:17:22,320 –> 00:17:24,720
Monitoring hooks keep this baseline peaceful.
474
00:17:24,720 –> 00:17:25,960
Track two, KPIs.
475
00:17:25,960 –> 00:17:28,440
Percentage of sign-ins covered by any conditional access
476
00:17:28,440 –> 00:17:31,320
decision and percentage that met MFA or your defined strengths,
477
00:17:31,320 –> 00:17:35,720
target at least 99% coverage and 98% MFA were applicable.
478
00:17:35,720 –> 00:17:39,000
When coverage dips, you’ll know a scope changed or an app escaped.
479
00:17:39,000 –> 00:17:41,160
When MFA drops, you’ll see where stronger auth
480
00:17:41,160 –> 00:17:43,200
isn’t being required as intended.
481
00:17:43,200 –> 00:17:45,040
Tie this baseline to your change process.
482
00:17:45,040 –> 00:17:48,440
Any change to a policy, its scope or its exclusion list demands
483
00:17:48,440 –> 00:17:50,520
a ticket and owner and an expiry.
484
00:17:50,520 –> 00:17:53,520
Authentication context grants need the same care,
485
00:17:53,520 –> 00:17:56,920
who asked, who approved, why and when it ends.
486
00:17:56,920 –> 00:17:58,760
And built-in alert for exclusion list changes
487
00:17:58,760 –> 00:18:00,920
so you hear the moment a boundary moves.
488
00:18:00,920 –> 00:18:03,880
With gentle discipline, your conditional access will feel heard,
489
00:18:03,880 –> 00:18:06,520
supported and ready for the next rollout.
490
00:18:06,520 –> 00:18:10,960
Unsafe rollout, test plan, report only and rollback checklists.
491
00:18:10,960 –> 00:18:13,840
Change scares identity, sudden enforcement spikes cortisol,
492
00:18:13,840 –> 00:18:16,440
so we coach conditional access through rehearsal first,
493
00:18:16,440 –> 00:18:18,680
then performance report only is rehearsal,
494
00:18:18,680 –> 00:18:21,880
no harm for learning, here’s the plan, three waves, one rhythm.
495
00:18:21,880 –> 00:18:25,600
Wave one, admins and admin portals, wave two, high-risk apps and rolls,
496
00:18:25,600 –> 00:18:26,480
wave three.
497
00:18:26,480 –> 00:18:29,440
Everyone, all apps, each wave spends a week in report only,
498
00:18:29,440 –> 00:18:31,600
then enforces once the noise is quiet.
499
00:18:31,600 –> 00:18:34,880
And boundaries are a gift, so we keep a rollback ready at every step.
500
00:18:34,880 –> 00:18:36,400
Start by shadowing your baseline.
501
00:18:36,400 –> 00:18:39,080
Duplicate each policy you built and set it to report only.
502
00:18:39,080 –> 00:18:42,440
Scope is inclusive, exclude only emergency access.
503
00:18:42,440 –> 00:18:45,720
In descriptions, write shadow baseline report only,
504
00:18:45,720 –> 00:18:47,920
so ops can see its intent in the logs.
505
00:18:47,920 –> 00:18:50,600
Now with patience, let it watch traffic for seven days.
506
00:18:50,600 –> 00:18:53,000
You’re listening for stress points, not perfection.
507
00:18:53,000 –> 00:18:56,000
Use the what if tool to pre-flight edge cases.
508
00:18:56,000 –> 00:18:59,240
Pick a test user, device state, location and the app.
509
00:18:59,240 –> 00:19:02,760
Validate the expected grant controls and session rules.
510
00:19:02,760 –> 00:19:07,200
If the what if says MFA required, but sign-in logs show not applied,
511
00:19:07,200 –> 00:19:09,040
you found a scope mismatch.
512
00:19:09,040 –> 00:19:10,240
Fix that before you move.
513
00:19:10,240 –> 00:19:11,720
Now read the room through logs.
514
00:19:11,720 –> 00:19:13,160
Open sign-in logs.
515
00:19:13,160 –> 00:19:17,280
Add conditional access result, policy name applied, not applied and grant controls.
516
00:19:17,280 –> 00:19:20,160
For report only policies, look at report only would have decisions.
517
00:19:20,160 –> 00:19:24,240
You want to see MFA would be required, strong auth would be required,
518
00:19:24,240 –> 00:19:26,800
and minimal unexpected block would be applied.
519
00:19:26,800 –> 00:19:31,040
Investigate any surge in block for service principles or legacy flows.
520
00:19:31,040 –> 00:19:33,840
Those need their own policies or migration plans.
521
00:19:33,840 –> 00:19:35,720
Before you enforce, stage comes.
522
00:19:35,720 –> 00:19:38,760
Tell admins what will change, how strong auth feels and where to get help.
523
00:19:38,760 –> 00:19:40,880
Share the emergency context process.
524
00:19:40,880 –> 00:19:42,480
Calm voices lower friction.
525
00:19:42,480 –> 00:19:45,280
Enforced wave 1 on a weekday morning with support on standby,
526
00:19:45,280 –> 00:19:48,640
flip admin strong auth and token hygiene from report only to own.
527
00:19:48,640 –> 00:19:49,800
Keep the others shadowing.
528
00:19:49,800 –> 00:19:51,960
Watch for entra errors, bikes and ticket volume.
529
00:19:51,960 –> 00:19:56,760
If failure rates climb beyond your agreed threshold, pause, diagnose or rollback.
530
00:19:56,760 –> 00:19:58,360
Your rollback is simple and kind.
531
00:19:58,360 –> 00:20:01,680
Pre-approved toggles to revert policies to report only.
532
00:20:01,680 –> 00:20:03,760
Document the exact settings you’d restore.
533
00:20:03,760 –> 00:20:06,240
Keep the emergency bypass context live and tested.
534
00:20:06,240 –> 00:20:10,960
Maintain a change ticket per policy with owner and timestamp so you can unwind confidently.
535
00:20:10,960 –> 00:20:12,600
Wave 2 brings high risk apps.
536
00:20:12,600 –> 00:20:17,040
Attach the high sensitivity context to finance, HRE discovery and export paths.
537
00:20:17,040 –> 00:20:20,080
Again, a week of report only, then enforce.
538
00:20:20,080 –> 00:20:24,840
Confirm that unmanaged devices hit step up and that CE-driven re-auth events behave.
539
00:20:24,840 –> 00:20:26,360
Wave 3 is everyone.
540
00:20:26,360 –> 00:20:29,480
Turn on all users, MFA and unmanaged device step up.
541
00:20:29,480 –> 00:20:33,080
Validate that coverage rises and failure rates stay stable.
542
00:20:33,080 –> 00:20:33,720
Then breathe.
543
00:20:33,720 –> 00:20:34,640
You didn’t force it.
544
00:20:34,640 –> 00:20:40,440
You let conditional access find its rhythm with rehearsal, permission and a safety net.
545
00:20:40,440 –> 00:20:41,520
Watchful piece.
546
00:20:41,520 –> 00:20:43,480
Monitoring and alerts that actually help.
547
00:20:43,480 –> 00:20:46,160
Once live, your conditional access needs steady feedback.
548
00:20:46,160 –> 00:20:47,440
Not noise, not panic.
549
00:20:47,440 –> 00:20:51,360
A calm heartbeat that tells you it’s present, it’s protecting and where it needs care.
550
00:20:51,360 –> 00:20:56,280
We’ll set up three signals and a weekly rhythm that keeps trust intact without burning anyone out.
551
00:20:56,280 –> 00:20:59,600
The thing most people miss is that coverage is your north star.
552
00:20:59,600 –> 00:21:04,280
If a sign isn’t touched by any CA policy, it’s living outside the boundaries you just set.
553
00:21:04,280 –> 00:21:06,160
So we start with two simple KPIs.
554
00:21:06,160 –> 00:21:07,320
Coverage and strength.
555
00:21:07,320 –> 00:21:11,560
Coverage is the percentage of interactive sign-ins with any conditional access decision.
556
00:21:11,560 –> 00:21:15,880
Strength is the percentage of those sign-ins that satisfy MFA or your defined authentication
557
00:21:15,880 –> 00:21:16,880
strength.
558
00:21:16,880 –> 00:21:18,760
If you remember nothing else, remember this.
559
00:21:18,760 –> 00:21:19,760
Track both.
560
00:21:19,760 –> 00:21:21,960
High coverage without strength is comfort theater.
561
00:21:21,960 –> 00:21:24,160
High strength without coverage is selective care.
562
00:21:24,160 –> 00:21:26,760
Let’s help it find its rhythm with practical queries.
563
00:21:26,760 –> 00:21:31,480
In your sign-in logs, add columns for conditional access result, policy name and authentication
564
00:21:31,480 –> 00:21:32,480
requirements.
565
00:21:32,480 –> 00:21:37,040
A saved view that counts sign-ins by day where CA decision is present versus not applied.
566
00:21:37,040 –> 00:21:38,320
That’s your coverage line.
567
00:21:38,320 –> 00:21:42,320
Create a second view that counts sign-ins where MFA or your chosen strength was required
568
00:21:42,320 –> 00:21:43,320
and satisfied.
569
00:21:43,320 –> 00:21:44,560
That’s your strength line.
570
00:21:44,560 –> 00:21:47,040
Keep both lines visible on a simple dashboard.
571
00:21:47,040 –> 00:21:48,960
The goal is boring consistency.
572
00:21:48,960 –> 00:21:53,080
Coverage add or above 99% strength add or above 98% where applicable.
573
00:21:53,080 –> 00:21:55,040
Now the three alerts that actually help.
574
00:21:55,040 –> 00:21:56,640
First a coverage drop alert.
575
00:21:56,640 –> 00:22:01,080
If coverage dips below your threshold for any 30-minute window, you get a nudge.
576
00:22:01,080 –> 00:22:02,080
First a siren.
577
00:22:02,080 –> 00:22:07,240
A nudge to check whether a scope changed a new app onboarded without CA or a policy was disabled.
578
00:22:07,240 –> 00:22:09,040
Second an exclusion growth alert.
579
00:22:09,040 –> 00:22:14,240
Whenever any CA policies exclusion list changes, user group application you get a change notification
580
00:22:14,240 –> 00:22:16,080
with who edited it and what changed.
581
00:22:16,080 –> 00:22:17,080
That’s not about blame.
582
00:22:17,080 –> 00:22:18,080
It’s about awareness.
583
00:22:18,080 –> 00:22:19,080
Boundaries moved.
584
00:22:19,080 –> 00:22:20,080
Let’s see why.
585
00:22:20,080 –> 00:22:22,080
Third high risk sign-ins with not applied.
586
00:22:22,080 –> 00:22:25,960
If any high risk sign-in lands without a CA decision, raise a flag.
587
00:22:25,960 –> 00:22:29,560
That means risk saw something but your boundaries didn’t show up to help.
588
00:22:29,560 –> 00:22:31,320
When is the shortcut nobody teaches?
589
00:22:31,320 –> 00:22:33,640
Tie these alerts to owners, not inboxes.
590
00:22:33,640 –> 00:22:36,520
Each policy and each KPI has a name steward.
591
00:22:36,520 –> 00:22:38,640
When coverage dips an owner checks scope.
592
00:22:38,640 –> 00:22:41,680
When exclusions change an owner confirms expiry and purpose.
593
00:22:41,680 –> 00:22:46,320
When high risk bypasses appear an owner validates that the right apps require the right context.
594
00:22:46,320 –> 00:22:47,320
You’re not just watching.
595
00:22:47,320 –> 00:22:48,320
You’re caring with intention.
596
00:22:48,320 –> 00:22:51,120
Let me show you exactly how to read the bypasses.
597
00:22:51,120 –> 00:22:55,400
Build a saved filter for sign-ins where conditional access result equals not applied.
598
00:22:55,400 –> 00:22:58,280
Add app, user client app and location.
599
00:22:58,280 –> 00:22:59,280
Sort by count.
600
00:22:59,280 –> 00:23:01,040
You’re looking for clusters that shouldn’t exist.
601
00:23:01,040 –> 00:23:04,240
A service principle signing in interactively, that’s a misscoped identity.
602
00:23:04,240 –> 00:23:08,120
A legacy protocol touching a protected app, that’s a migration task.
603
00:23:08,120 –> 00:23:11,760
A guest user hitting an internal app with no CA decision.
604
00:23:11,760 –> 00:23:16,760
That app likely missed all cloud apps or sits under a different publisher and needs tagging.
605
00:23:16,760 –> 00:23:18,680
This filter is your quiet detective.
606
00:23:18,680 –> 00:23:19,960
A quick win you can do today.
607
00:23:19,960 –> 00:23:24,200
Turn on and alert for any policy moving from enable to report only or to disabled and
608
00:23:24,200 –> 00:23:26,760
for any change to the all-user scope.
609
00:23:26,760 –> 00:23:28,880
These two movements cause most surprises.
610
00:23:28,880 –> 00:23:34,440
I’ve prepared that with a daily digest listing top 10 apps by not applied sign-ins and top 10 users by MFA not satisfied.
611
00:23:34,440 –> 00:23:35,720
It’s not a wall of data.
612
00:23:35,720 –> 00:23:37,200
It’s a morning check-in.
613
00:23:37,200 –> 00:23:38,560
Now here’s where most people mess up.
614
00:23:38,560 –> 00:23:41,920
They set thresholds so tight that every blip becomes an alarm.
615
00:23:41,920 –> 00:23:46,760
Or they ignore service principles and non-interactive flows, even though those identities hold powerful keys.
616
00:23:46,760 –> 00:23:49,840
Or they never review the report only would have lines.
617
00:23:49,840 –> 00:23:52,440
So there are shadow policies drift from reality.
618
00:23:52,440 –> 00:23:54,320
We want to avoid learned helplessness.
619
00:23:54,320 –> 00:23:56,680
If the system cries wolf people stop listening.
620
00:23:56,680 –> 00:23:58,800
Keep alert scarce, specific and owned.
621
00:23:58,800 –> 00:24:01,160
Let’s anchor with the KPI board you’ll actually use.
622
00:24:01,160 –> 00:24:05,080
Top row, coverage percentage, strength percentage and exclusions count trend.
623
00:24:05,080 –> 00:24:06,720
Info flatlines at healthy levels.
624
00:24:06,720 –> 00:24:13,240
Second row, top bypassing apps, top bypassing locations and changes in CA policy scopes over the last seven days.
625
00:24:13,240 –> 00:24:18,760
Third row, high risk sign-ins without CA decision and admin sign-ins that lack strong auth.
626
00:24:18,760 –> 00:24:19,920
Review weekly.
627
00:24:19,920 –> 00:24:22,120
Investigate deviations within 24 hours.
628
00:24:22,120 –> 00:24:23,960
Not with blame with curiosity.
629
00:24:23,960 –> 00:24:26,360
Why did coverage dip yesterday at noon?
630
00:24:26,360 –> 00:24:27,560
Maybe a new app launched.
631
00:24:27,560 –> 00:24:28,080
Great.
632
00:24:28,080 –> 00:24:31,120
Tag it, bring it under all cloud apps, confirm the right context.
633
00:24:31,120 –> 00:24:32,760
Close the loop with change management.
634
00:24:32,760 –> 00:24:38,280
Every policy edit requires an owner, a reason and an expiry when it’s a temporary exception.
635
00:24:38,280 –> 00:24:41,040
Your exclusion growth alert isn’t just a notification.
636
00:24:41,040 –> 00:24:43,840
It’s a prompt to add that expiry and book a review.
637
00:24:43,840 –> 00:24:45,800
Your coverage drop alert isn’t a failure.
638
00:24:45,800 –> 00:24:47,960
It’s the system asking for alignment.
639
00:24:47,960 –> 00:24:51,360
This is how you keep conditional access in therapy, not triage.
640
00:24:51,360 –> 00:24:53,560
It gets to be transparent, consistent and hurt.
641
00:24:53,560 –> 00:24:54,720
And boundaries are a gift.
642
00:24:54,720 –> 00:24:57,000
With gentle monitoring, you’re not micromanaging.
643
00:24:57,000 –> 00:25:00,720
You’re holding a steady container so CA can keep doing the quiet work protecting everyone
644
00:25:00,720 –> 00:25:02,800
all day without drama.
645
00:25:02,800 –> 00:25:04,120
Here’s the takeaway.
646
00:25:04,120 –> 00:25:06,040
Your conditional access wasn’t broken.
647
00:25:06,040 –> 00:25:08,360
It was trusting without boundaries.
648
00:25:08,360 –> 00:25:12,560
Inclusive scopes, time-bound contexts and steady monitoring restore its balance.
649
00:25:12,560 –> 00:25:17,160
If this helped, try the baseline template, shadow it in report only for seven days and
650
00:25:17,160 –> 00:25:20,120
wire the three alerts so changes never go silent.
651
00:25:20,120 –> 00:25:24,560
Subscribe and watch the next episode on authentication context patterns and token binding hardening.
