Microsoft Entra ID · Conditional Access

Conditional Access Administrator

Can manage Microsoft Entra Conditional Access settings. This privileged role can create policies that govern tenant-wide access to Microsoft Entra-integrated resources.

Scope: Tenant-wide Conditional Access policies, authentication strengths, terms of use, and named locations

Permissions

  • CA Properties - Update basic properties for CA policies
  • CA Policies - Create Conditional Access policies
  • CA Policies - Delete Conditional Access policies
  • CA Ownership - Read CA policy owners
  • CA Ownership - Update CA policy owners
  • Applied Policies - Read applied to property
  • CA Policies - Read CA policies
  • Tenant Default - Update tenant default CA
  • Named Locations - Update named locations
  • Named Locations - Create named locations
  • Named Locations - Delete named locations
  • Named Locations - Read named locations
  • Auth Context - Update authentication context for Microsoft 365 RBAC resource actions
  • Access Controls - Configure IP-based, location-based, and device-based access controls
  • Auth Strength - Implement authentication strength requirements
  • Session Controls - Configure session controls and sign-in frequency

Common use cases

  • Implementing Zero Trust access policies
  • Configuring MFA requirements by application, user, or location
  • Requiring devices to be marked as compliant for access
  • Setting location-based access controls (block countries, allow office IPs)
  • Configuring sign-in risk-based access policies
  • Implementing session controls (sign-in frequency, persistent browser)
  • Creating authentication strength policies (phishing-resistant MFA)
  • Managing Named Locations (trusted IPs, countries)
  • Implementing block legacy authentication policies
  • Requiring an existing Intune app protection policy for access
  • Creating report-only policies for testing
  • Restoring soft-deleted Conditional Access policies
  • Creating and managing terms of use enforced through Conditional Access
  • Managing authentication context for sensitive resources

Best practices

  • Start new policies in report-only mode and validate results before enforcement
  • Maintain at least two emergency access accounts and exclude them from Conditional Access policies
  • Test policies with pilot groups before broad rollout
  • Document all policy changes with justification
  • Use clear, standardized policy names
  • Deploy policies in phases, starting with core protections
  • Configure alerts for policy changes
  • Review policy coverage regularly
  • Use authentication strengths over legacy MFA settings
  • Block legacy authentication as priority policy
  • Require compliant devices for sensitive applications
  • Configure sign-in frequency appropriately (not too strict)
  • Use "All resources" policies with proper exclusions
  • Test emergency access accounts regularly
  • Implement change management for policy modifications
  • Monitor for policy conflicts and gaps
  • Use policy templates as starting points
  • Review Conditional Access insights regularly

Security considerations

  • Misconfigured policies can lock out all users including admins
  • Exclude emergency access accounts from Conditional Access policies
  • Can disable MFA requirements if not properly governed
  • Enabled policy changes can block targeted sign-ins if misconfigured
  • Consider separation of duties with Security Administrator
  • Monitor for policy deletion or disabled status
  • Named location changes can affect access globally
  • Report-only mode doesn't affect actual access
  • Multiple policies can apply simultaneously
  • Test emergency access procedures regularly
  • Alert on any changes to emergency account exclusions
  • All applicable policies must be satisfied, so controls from multiple policies can combine
  • Can block access to Azure portal for recovery

Common questions

When should I assign the Conditional Access Administrator role?

Assign Conditional Access Administrator when you need to: Implementing Zero Trust access policies; Configuring MFA requirements by application, user, or location; Requiring devices to be marked as compliant for access; Setting location-based access controls (block countries, allow office IPs); and Configuring sign-in risk-based access policies. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Conditional Access Administrator role do?

The Conditional Access Administrator role grants permissions including: CA Properties - Update basic properties for CA policies; CA Policies - Create Conditional Access policies; CA Policies - Delete Conditional Access policies; CA Ownership - Read CA policy owners; CA Ownership - Update CA policy owners; and Applied Policies - Read applied to property. See the Permissions section above for the full list.

What are the security risks of the Conditional Access Administrator role?

Key considerations when assigning Conditional Access Administrator: Misconfigured policies can lock out all users including admins; Exclude emergency access accounts from Conditional Access policies; Can disable MFA requirements if not properly governed; and Enabled policy changes can block targeted sign-ins if misconfigured. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →