Skip to main content
Modern 42 Logo
Advisory & Strategy

Do your Conditional Access policies actually protect you?

Conditional Access is often the most consequential identity control in a Microsoft environment. Policies that look correct can have exclusions, or control gaps that leave accounts exposed.

Talk to our team View all advisory services
Conditional Access Policy Review

Are your Conditional Access policies working as intended?

Conditional Access is your primary Zero Trust policy engine, yet most organisations underestimate its complexity. What starts as a handful of policies quickly grows into a layered set of rules, exclusions, and dependencies that interact in ways that are difficult to predict. Without deliberate structure, policies can conflict, leave gaps, or be bypassed entirely. We review your Conditional Access configuration and report on its current state, identifying where your defence in depth is holding and where it is not. For organisations that want to go further, our Conditional Access Policy testing toolkit can simulate identity, device, and network signals to validate your policies end-to-end.

Reviewing Conditional Access policy configuration
The gold standard

What a well-architected CA framework looks like

Every review is measured against what we consider the gold standard for Conditional Access. These are the principles we aim to achieve for every organisation.

Enables the business, never blocks it

A well-architected CA framework provides consistent, predictable access controls that users barely notice. Policies are structured so that secure access is the default path, not something that gets in the way. No ad-hoc exceptions, no frustrated users creating shadow IT workarounds.

Every vector is covered

Defence in depth means no single gap can compromise the chain. A gold standard framework addresses OAuth flows, Microsoft authentication methods, device trust, and Intune compliance together. Identity, device, application, and network signals all feed into policy decisions so that no access path is left unprotected.

Structured, measurable, and repeatable

Policies are organised around Zero Trust principles with clear naming, consistent logic, and documented rationale. New applications, user populations, and requirements slot into the existing framework without creating one-off exceptions. The framework is measurable against NIST, Essential Eight, ISM, and SOCI and auditable at any point.
Modern 42 security consultants reviewing Conditional Access policy configuration
Industry Research
78%

of Conditional Access environments we review have at least one critical misconfiguration in exclusion group management

Book a review
Scope of review

What we review

A technical review that goes beyond policy count to coverage, enforcement, and risk.

  • Policy coverage across all user populations (members, guests, external users, service accounts)
  • Exclusion groups (a common and underestimated attack vector)
  • Device identity and compliance posture (managed devices, hybrid join, Intune compliance)
  • Edge device and shared device challenges (Surface Hubs, Teams Phones, Microsoft Defender App, Azure AVDs)
  • Lateral movement analysis across identity and device trust boundaries
  • Identity at the perimeter (how Conditional Access enforces Zero Trust at every access point)
  • Sign-in risk and user risk policy configuration
  • MFA strength requirements and authentication method policy
  • Named locations and trusted IP configuration
  • Break-glass account access and emergency access design
  • Report-only vs enforcement mode (many policies left in report-only indefinitely)
  • Session controls (token lifetime, sign-in frequency, persistent browser)

The exclusion problem

Exclusion groups in Conditional Access policies are a significant security risk. Groups grow over time, often without regular review. Accounts accumulate in exclusion groups for troubleshooting reasons and are never removed.

An attacker who compromises an account in an exclusion group bypasses the policies that group is excluded from, regardless of how well those policies are otherwise configured. We review every exclusion group in every policy and assess the risk of each exclusion.

Common findings

What we commonly find

Patterns we see repeatedly across Conditional Access reviews in Australian organisations.

Overprivileged exclusions

Broad exclusion groups that bypass MFA or device compliance for entire teams, often created during initial rollout and never revisited.

Stale legacy policies

Policies created for deprecated protocols or retired applications still active and creating gaps in the overall policy set.

MFA and device trust gaps

User populations or applications where MFA is not enforced, device compliance is not required, or device registration controls are missing entirely.

Break-glass without monitoring

Emergency access accounts that exist without alerts, review cadence, or sign-in monitoring.

Overly permissive MAM policies

Mobile Application Management configurations that trust too broadly, allowing corporate data on unmanaged devices without appropriate app protection or data loss prevention controls.

Lack of controls for administrators

Privileged accounts subject to the same Conditional Access policies as standard users, or worse, excluded from policies entirely with no additional controls for elevated access.
Deliverables

What you receive

A findings report you can act on, not a compliance checklist.

  • Complete policy inventory and documentation
  • Gap analysis against your preferred framework (NIST, ISM, ASD Essential Eight, SOCI)
  • Risk-ranked findings (Critical, High, Medium, Low)
  • Remediation recommendations for each finding
  • Reference policy framework aligned to your requirements
  • Full visibility on your current state and policy posture
  • High-level CISO briefing deck explaining your current risk
Team reviewing security posture data
FAQ

Common questions

We need read-only access to your documentation and Microsoft Entra ID. It is important to review settings in Entra and Intune that are adjacent to your Conditional Access policies. We can request this information separately, but direct read access significantly speeds up the review. No changes are made during the engagement.
Reviews can take anywhere from two to six weeks depending on the complexity of the environment and your business requirements.
The review produces a report and recommendations. We do not make changes without a separate scoped engineering engagement. This separation keeps the review independent. If you need engineering remediation, our Secure Entra ID team can implement the recommended changes.
We map our findings to whichever framework your organisation follows. Common frameworks include NIST, the ASD Essential Eight, the ISM, and SOCI. If you have internal security standards, we can align to those as well.
Yes. We can work with your existing policies where appropriate. We will also make sure you feel comfortable with the correct way forward given the findings, so you can act on the recommendations with confidence.
It is common. Policy drift is normal in active environments. The review identifies what has drifted and what needs to be addressed.
Entra is the short name for Microsoft Entra — Microsoft's family of identity and network access products. The most widely used product in the Entra family is Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD), which is the cloud identity platform that manages authentication and access to Microsoft 365, Azure, and integrated applications. Conditional Access is one of the most important security controls within Entra ID — it is the policy engine that enforces Zero Trust principles by evaluating signals like user identity, device compliance, location, and risk level before granting access. Properly configured Conditional Access policies are essential to securing your Entra environment. Modern 42's Conditional Access Review assesses your existing policies for gaps, misconfigurations, and exclusion risks to ensure your Entra ID security controls are actually protecting you.
Attack Path Intelligence

See the attack path before the attacker does.

Conditional Access policies are only as strong as the assumptions they're built on. SuiteAuth doesn't just test individual signals — it chains them together to reveal the full attack path an adversary would follow to bypass your controls and reach critical resources.

The result is a visual, step-by-step breakdown of every path through your policy stack — from initial access to blast radius. Run it before and after policy changes to validate remediation with deterministic evidence, not assumptions.

Proprietary engine — built on years of Conditional Access research and real-world bypass discovery. This is the tooling behind our findings.

01

Signal Emulation

SuiteAuth reconstructs the exact combination of identity, device, network, and authentication signals your policies evaluate — replicating what an attacker would present at the gate.

02

Policy Traversal

Each Conditional Access policy is exercised against the emulated signals. SuiteAuth maps which policies grant, block, or silently fall through — exposing logic gaps no audit tool can catch.

03

Blast Radius Analysis

For every validated bypass, SuiteAuth calculates the downstream impact — which resources are reachable, what data is exposed, and how far lateral movement extends from a single policy gap.

04

Before & After Validation

Replay the same attack path after remediation. SuiteAuth gives you deterministic proof that your policy change closed the gap — evidence your board and auditors can rely on.

Microsoft Solutions Partner — Security, Identity and Access Management designation badge

Microsoft Cloud Security Partner

Modern 42 is a recognised Microsoft Solutions Partner for Security with the Identity and Access Management designation. Verify on Microsoft

Let’s talk about your identity challenges

No pitch decks. No pressure. Just a straightforward conversation about where you are, where you need to be, and how we can help you get there.

  • Understand your current identity posture
  • Identify quick wins and critical gaps
  • Get actionable recommendations — no strings attached

Free 30 min discussion

No commitment required

Book a time that works for you. We’ll come prepared with initial observations about your industry and common identity challenges.

Book a discussion Email us

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.