This lab demonstrates how to enforce security policies in Microsoft Entra ID by implementing Conditional Access and Multi-Factor Authentication (MFA) within the framework of a Zero Trust security model. The objective is to strengthen authentication security by blocking risky sign-ins, requiring MFA for high-privilege accounts such as Global Administrators, and ensuring that only verified users and devices gain access to critical resources. By configuring Conditional Access policies, organizations can minimize unauthorized access, ensure continuous verification, and enhance overall security compliance in line with Zero Trust principles.
Conditional Access is a security feature in Microsoft Entra ID (formerly Azure AD) that enforces access policies based on specific conditions such as user identity, device compliance, location, and risk level. It helps organizations control who can access resources and under what circumstances.
Multi-Factor Authentication (MFA) is an authentication method that requires users to verify their identity using multiple factors, typically something they know (password) and something they have (authentication app, phone, or security key). MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
By implementing Conditional Access and MFA together, organizations strengthen security by ensuring that access to critical resources is granted only under secure and verified conditions.
Click on the images below to view the full-size version
Before starting this lab, ensure the following requirements are met:
- Microsoft Entra ID Admin Access – Access to the Microsoft Entra Admin Center with Global Administrator or Conditional Access Administrator permissions.
- Test Admin Account – A separate test account with Global Administrator privileges for testing.
- Multi-Factor Authentication (MFA) Setup – Ensure MFA is enabled in the Microsoft Entra ID tenant.
- Internet Connection – Required to access the Microsoft Entra Admin Center.
- VPN (Optional) – Used to simulate sign-ins from untrusted locations.
This lab is intended for IT administrators, security analysts, and identity management professionals responsible for securing user authentication in Microsoft Entra ID. The lab assumes basic familiarity with Microsoft Entra ID and Conditional Access policies.
The lab involves configuring a Conditional Access policy to enforce MFA for Global Administrators and block access from untrusted locations. This ensures that only verified users can access sensitive resources, reducing the risk of unauthorized access and credential-based attacks.
This lab is applicable when:
- Implementing security policies for privileged accounts.
- Strengthening authentication mechanisms to comply with security frameworks.
- Responding to an increase in unauthorized sign-in attempts.
- Enhancing identity protection for cloud-based services.
The lab is performed within the Microsoft Entra Admin Center, specifically under the Security and Conditional Access sections.
Enforcing MFA and Conditional Access is critical for:
- Reducing the risk of compromised administrator accounts.
- Preventing unauthorized access from risky locations.
- Ensuring compliance with security best practices and regulatory requirements.
- Strengthening authentication security for sensitive resources.
Conditional Access is a policy-based access control feature in Microsoft Entra ID (formerly Azure Active Directory) that enforces security requirements based on specific conditions. It evaluates signals such as user identity, device status, location, and application being accessed to determine whether to allow or block access—or require additional actions like Multi-Factor Authentication (MFA).
- Granular Control: Apply policies based on user groups, roles, applications, device compliance, IP locations, and risk levels.
- Adaptive Access: Enforce additional security requirements (like MFA or device compliance) only when certain conditions are met.
- Real-Time Decisions: Evaluate access requests in real-time to ensure compliance and reduce risk.
- Reduces the attack surface by requiring stronger controls only when necessary.
- Supports zero-trust security by verifying user identity, device health, and session context.
- Helps organizations meet compliance standards and minimize the risk of unauthorized access.
- Require MFA for users signing in from outside trusted locations.
- Block access to sensitive applications from unmanaged or non-compliant devices.
- Allow access only if the user's risk level is low (based on Microsoft Entra ID Identity Protection).
- Open a web browser and navigate to the Microsoft Entra Admin Center.
- Go to Security → Conditional Access. If it cannot be located use the search bar on the home screen.
- Click on New Policy and name it "Require MFA for Admins".
- Under Assignments, select Users.
- Click Spefific Users Included and under Include Click Users and groups radio button and the Users and groups check box and select the group that you have created for Global Administrators
- Navigate to Conditions → Locations.
- Configure the policy to "Include Any network or location". Policies with "Any network or location" ensure users meet security conditions (e.g., MFA, device compliance) regardless of where they are.
- Under Grant Controls, select Require Multi-Factor Authentication (MFA).
- Ensure the policy is set to Enabled.
- Use an admin test account to verify that MFA is required when signing in.
This lab ensures users must meet security conditions such as Multi-Factor Authentication (MFA) and device compliance no matter where they connect from. By configuring the policy to "Include Any network or location," authentication requirements apply universally whether users are on a corporate network, public Wi-Fi, or a remote connection. This enhances security by preventing location-based bypasses and ensuring consistent enforcement of access policies across all environments.
- Sign in with a Global Administrator test account.
- Confirm that an MFA prompt appears before access is granted.
- Go to Microsoft Entra ID → Sign-in Logs.
- Verify that policy enforcement details, such as MFA requirements and blocked sign-ins, are correctly logged.
- If unexpected behavior occurs, review policy settings and adjust conditions accordingly.
- Ensure that MFA settings in Identity Protection align with Conditional Access policies.
This lab ensures users must meet security conditions such as Multi-Factor Authentication (MFA) and device compliance no matter where they connect from. By configuring the policy to "Include Any network or location," authentication requirements apply universally whether users are on a corporate network, public Wi-Fi, or a remote connection. This enhances security by preventing location-based bypasses and ensuring consistent enforcement of access policies across all environments.
By following these validation steps, the effectiveness of the Conditional Access policy can be confirmed, ensuring that privileged accounts remain secure.