Tenant setup 08 — Conditional Access Policies, the finale
The last three baseline policies: MFA for Azure management, MFA for guests, and forcing Microsoft apps for access to corporate data. Then ship it — but stay in Report Only until you've verified nothing breaks.
This article is part of the series. Full series + screenshots in one document: download PDF. (PDF is currently in Czech.)
It's been a long ride, but we're at the end of my baseline recommendations. Stay on the word "baseline" — CAP can be tuned much further. Today we'll cover the last 3 policies: enforcing MFA for Azure management (anyone managing virtual infrastructure in Azure), enforcing MFA for guests, and forcing Microsoft apps for access to corporate data.
MFA for Azure management: New policy from template → Require multifactor authentication for Azure management. Rename, exclude break-glass. I also strongly recommend setting Session → Sign-in frequency to 8 hours.
MFA for guests: New policy from template, under Zero Trust select Require multifactor authentication for guest access. Exclude break-glass. Done.
Force Microsoft apps for O365 access: New policy from template, under Remote work select Use application enforced restrictions for O365 apps. Exclude break-glass. If you only want to enforce this on phones (not laptops), open the policy → Conditions → Device platforms → Any device → Exclude Windows + macOS.
Closing thoughts on CAP. Definitely create a break-glass account — you'll need it. Be careful when configuring; locking yourself out is easy. Keep policies in Report Only mode until you've validated them; from experience there's a real chance you'll break something.