This site is called Conditional Access, and yet surprisingly, it has very little advice on what you should do for CA policies. I’ve stayed away from this subject on purpose; it’s very hard to “baseline” CA policies as they are very bespoke to the individual needs of a business, and nobody can ever agree on what’s best.
The word “baseline” holds a lot of weight too. Many frameworks or baselines have become inarguable rulesets for administrators everywhere, even though few of them ever set out to be used in that way.
So, this isn’t a baseline, I’m not even going to call it guidance. These are some policies I use, feel free to take some inspiration.
If you assign to static groups, you’ve made yourself a static problem. Even if it’s a dynamic group, there might be times where for whatever reason a user isn’t quite fitting the rule, and it may as well have been an “all users” assignment from the start anyway.
Note: Where specific property types aren't configured, that means it will apply to everything.
In "MFA all users all resources", I'm not configuring any network or conditions. It simply means it applies to all users regardless of other possible login routes.
Policy list
Name
CA01: MFA all users all resources
Users
All users
Target Resources
All resources
Grant
Require multifactor authentication
Name
CA02: Block Legacy Auth
Users
All users
Target Resources
All resources
Conditions
Client Apps –> Configure = YES
☑️Exchange ActiveSync
☑️Other Clients
Grant
Block access
Name
CA03: Block Unsupported OS Types
Users
All users
Target Resources
All resources
Conditions
Device Platforms –> Configure = YES
Include = Any Device
Exclude
☑️Android
☑️iOS
☑️Windows
☑️macOS
Grant
Block access
Name
CA04: Require App Protection (mobile)
Users
All users
Target Resources
All resources
Conditions
Device Platforms –> Configure = YES
Include
☑️Android
☑️iOS
Grant
Require app protection policy
Name
CA05: Require Compliant Desktop
Users
All users
Target Resources
All resources
Conditions
Device Platforms –> Configure = YES
Include
☑️Windows
☑️macOS
Grant
Require device to be marked as compliant
Name
CA06: Block Code Flow
Users
All users
Target Resources
All resources
Conditions
Authentication flows –> Configure = YES
☑️Device code flow
Grant
Block access
Name
CA07: Sign In Risk – Medium/High – MFA
Users
All users
Target Resources
All resources
Conditions
Sign-in risk –> Configure = YES
☑️High
☑️Medium
Grant
Require multifactor authentication
Session
Sign-in frequency
☑️Every time
^Requires Entra ID P2^
Name
CA08: User Risk – High – Reset PW
Users
All users
Target Resources
All resources
Conditions
User risk –> Configure = YES
☑️High
Grant
Require password change
Session
Sign-in frequency
☑️Every time
^Requires Entra ID P2^
Name
CA09: Windows Token Protection
Users
All users
Target Resources
Select Resources
Microsoft Teams Services cc15fd57-2c6c-4117-a88c-83b1d56b4bbe
