Microsoft Entra ID · Conditional Access

Conditional Access Administrator

Can manage Conditional Access settings and policies. This is a privileged role that controls access to all cloud resources.

Scope: Conditional Access policy and named location management

Permissions

  • CA Properties - Update basic properties for CA policies
  • CA Policies - Create Conditional Access policies
  • CA Policies - Delete Conditional Access policies
  • CA Ownership - Read CA policy owners
  • CA Ownership - Update CA policy owners
  • Applied Policies - Read applied to property
  • CA Policies - Read CA policies
  • Tenant Default - Update tenant default CA
  • Named Locations - Update named locations
  • Named Locations - Create named locations
  • Named Locations - Delete named locations
  • Named Locations - Read named locations
  • Auth Context - Update authentication context for RBAC resource actions
  • Access Controls - Configure IP-based, location-based, and device-based access controls
  • Auth Strength - Implement authentication strength requirements
  • Session Controls - Configure session controls and sign-in frequency

Common use cases

  • Implementing Zero Trust access policies
  • Configuring MFA requirements by application, user, or location
  • Managing device compliance requirements for access
  • Setting location-based access controls (block countries, allow office IPs)
  • Configuring sign-in risk-based access policies
  • Implementing session controls (sign-in frequency, persistent browser)
  • Creating authentication strength policies (phishing-resistant MFA)
  • Managing Named Locations (trusted IPs, countries)
  • Implementing block legacy authentication policies
  • Configuring app protection policies integration
  • Creating report-only policies for testing
  • Managing authentication context for sensitive resources

Best practices

  • ALWAYS use report-only mode before enabling policies
  • ALWAYS exclude at least 2 emergency access accounts
  • Test policies with pilot groups before broad rollout
  • Document all policy changes with justification
  • Use named policies for organization and clarity
  • Implement policies incrementally (start with low-risk)
  • Configure alerts for policy changes
  • Review policy coverage regularly
  • Use authentication strengths over legacy MFA settings
  • Block legacy authentication as priority policy
  • Require compliant devices for sensitive applications
  • Configure sign-in frequency appropriately (not too strict)
  • Use "All cloud apps" policies with proper exclusions
  • Test emergency access accounts regularly
  • Implement change management for policy modifications
  • Monitor for policy conflicts and gaps
  • Use policy templates as starting points
  • Review Conditional Access insights regularly

Security considerations

  • Misconfigured policies can lock out all users including admins
  • Emergency access accounts MUST be excluded from all policies
  • Can disable MFA requirements if not properly governed
  • Policy changes can affect all users immediately
  • Consider separation of duties with Security Administrator
  • Monitor for policy deletion or disabled status
  • Named location changes can affect access globally
  • Report-only mode doesn't affect actual access
  • Multiple policies can apply simultaneously
  • Test emergency access procedures regularly
  • Alert on any changes to emergency account exclusions
  • Policy evaluation order matters for expected behavior
  • Can block access to Azure portal for recovery

Official Microsoft Learn documentation →

Open the interactive RBACMap →