Skip to main content
Modern 42 Logo
Advisory & Strategy

Do your Conditional Access policies actually protect you?

Conditional Access is often the most consequential identity control in a Microsoft environment. Policies that look correct can have exclusions, or control gaps that leave accounts exposed.

Talk to our team View all advisory services
Conditional Access Policy Review

Are your Conditional Access policies working as intended?

Conditional Access is your primary Zero Trust policy engine, yet most organisations underestimate its complexity. What starts as a handful of policies quickly grows into a layered set of rules, exclusions, and dependencies that interact in ways that are difficult to predict. Without deliberate structure, policies can conflict, leave gaps, or be bypassed entirely. We review your Conditional Access configuration and report on its current state, identifying where your defence in depth is holding and where it is not. For organisations that want to go further, our Conditional Access Policy testing toolkit can simulate identity, device, and network signals to validate your policies end-to-end.

Reviewing Conditional Access policy configuration
The gold standard

What a well-architected CA framework looks like

Every review is measured against what we consider the gold standard for Conditional Access. These are the principles we aim to achieve for every organisation.

Enables the business, never blocks it

A well-architected CA framework provides consistent, predictable access controls that users barely notice. Policies are structured so that secure access is the default path, not something that gets in the way. No ad-hoc exceptions, no frustrated users creating shadow IT workarounds.

Every vector is covered

Defence in depth means no single gap can compromise the chain. A gold standard framework addresses OAuth flows, Microsoft authentication methods, device trust, and Intune compliance together. Identity, device, application, and network signals all feed into policy decisions so that no access path is left unprotected.

Structured, measurable, and repeatable

Policies are organised around Zero Trust principles with clear naming, consistent logic, and documented rationale. New applications, user populations, and requirements slot into the existing framework without creating one-off exceptions. The framework is measurable against NIST, Essential Eight, ISM, and SOCI and auditable at any point.
Industry Research
78%

of Conditional Access environments we review have at least one critical misconfiguration in exclusion group management

Book a review
Scope of review

What we review

A technical review that goes beyond policy count to coverage, enforcement, and risk.

  • Policy coverage across all user populations (members, guests, external users, service accounts)
  • Exclusion groups (a common and underestimated attack vector)
  • Device identity and compliance posture (managed devices, hybrid join, Intune compliance)
  • Edge device and shared device challenges (Surface Hubs, Teams Phones, Microsoft Defender App, Azure AVDs)
  • Lateral movement analysis across identity and device trust boundaries
  • Identity at the perimeter (how Conditional Access enforces Zero Trust at every access point)
  • Sign-in risk and user risk policy configuration
  • MFA strength requirements and authentication method policy
  • Named locations and trusted IP configuration
  • Break-glass account access and emergency access design
  • Report-only vs enforcement mode (many policies left in report-only indefinitely)
  • Session controls (token lifetime, sign-in frequency, persistent browser)

The exclusion problem

Exclusion groups in Conditional Access policies are a significant security risk. Groups grow over time, often without regular review. Accounts accumulate in exclusion groups for troubleshooting reasons and are never removed.

An attacker who compromises an account in an exclusion group bypasses the policies that group is excluded from, regardless of how well those policies are otherwise configured. We review every exclusion group in every policy and assess the risk of each exclusion.

Common findings

What we commonly find

Patterns we see repeatedly across Conditional Access reviews in Australian organisations.

Overprivileged exclusions

Broad exclusion groups that bypass MFA or device compliance for entire teams, often created during initial rollout and never revisited.

Stale legacy policies

Policies created for deprecated protocols or retired applications still active and creating gaps in the overall policy set.

MFA and device trust gaps

User populations or applications where MFA is not enforced, device compliance is not required, or device registration controls are missing entirely.

Break-glass without monitoring

Emergency access accounts that exist without alerts, review cadence, or sign-in monitoring.

Overly permissive MAM policies

Mobile Application Management configurations that trust too broadly, allowing corporate data on unmanaged devices without appropriate app protection or data loss prevention controls.

Lack of controls for administrators

Privileged accounts subject to the same Conditional Access policies as standard users, or worse, excluded from policies entirely with no additional controls for elevated access.
Deliverables

What you receive

A findings report you can act on, not a compliance checklist.

  • Complete policy inventory and documentation
  • Gap analysis against your preferred framework (NIST, ISM, ASD Essential Eight, SOCI)
  • Risk-ranked findings (Critical, High, Medium, Low)
  • Remediation recommendations for each finding
  • Reference policy framework aligned to your requirements
  • Full visibility on your current state and policy posture
  • High-level CISO briefing deck explaining your current risk
Team reviewing security posture data
FAQ

Common questions

We need read-only access to your documentation and Microsoft Entra ID. It is important to review settings in Entra and Intune that are adjacent to your Conditional Access policies. We can request this information separately, but direct read access significantly speeds up the review. No changes are made during the engagement.
Reviews can take anywhere from two to six weeks depending on the complexity of the environment and your business requirements.
The review produces a report and recommendations. We do not make changes without a separate scoped engineering engagement. This separation keeps the review independent. If you need engineering remediation, our Secure Entra ID team can implement the recommended changes.
We map our findings to whichever framework your organisation follows. Common frameworks include NIST, the ASD Essential Eight, the ISM, and SOCI. If you have internal security standards, we can align to those as well.
Yes. We can work with your existing policies where appropriate. We will also make sure you feel comfortable with the correct way forward given the findings, so you can act on the recommendations with confidence.
It is common. Policy drift is normal in active environments. The review identifies what has drifted and what needs to be addressed.

Find out what your Conditional Access policies are actually doing

A one-week review can surface years of policy drift.

Get in touchAll advisory services

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.