𝐇𝐨𝐰 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐀𝐫𝐞 𝐄𝐯𝐚𝐥𝐮𝐚𝐭𝐞𝐝 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃

Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.

I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.

Read my blog post bellow 👇 👇
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/

#cswrld #entraid #securitytips #conditionalaccess

Microsoft is rolling out two Entra ID changes this spring that take effect automatically.

Passkey profiles move to GA in March. Tenants that do not opt in will be auto-migrated starting in April (through late May for Worldwide, late June for GCC/GCC High/DoD). If attestation is disabled, synced passkeys become allowed by default, meaning credentials can sync via iCloud Keychain and Google Password Manager without an explicit decision to allow synced passkeys.

Conditional Access is closing an enforcement gap starting March 27. Policies targeting "All resources" with resource exclusions will now enforce on sign-ins where apps request only OIDC or limited directory scopes. These flows were previously not being evaluated..

I published a breakdown covering:

• Auto-migration logic and default configuration behavior
• PowerShell scripts to audit your tenant
• A three-profile passkey architecture for role-based separation
• How to identify affected Conditional Access policies
• Key gotchas (silent campaign shifts, retroactive AAGUID removal, destructive preview opt-out)

The post includes links to MC1221452, the Microsoft Tech Community announcement, and the relevant Microsoft Learn documentation.

https://nineliveszerotrust.com/blog/entra-march-2026-passkeys-ca/

#EntraID #Identity #ZeroTrust #Passkeys #ConditionalAccess #CloudSecurity #MFA

RE: https://infosec.exchange/@franklesniak/115572191076370399

#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity

@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube.

"Finding Entra ID CA Bypasses - the structured way" @WEareTROOPERS

https://youtu.be/yYQBeDFEkps

#Entra #ConditionalAccess

𝗛𝗼𝘄 𝘁𝗼 𝗯𝗹𝗼𝗰𝗸 𝘂𝗻𝗸𝗻𝗼𝘄𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗

Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

📺 Watch my YouTube video bellow 👇 👇
https://youtu.be/vFhQgwXmqTo

#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking

This week there are a lot of changes coming down to Windows 11 and Entra. You know, the foundation of everything.

https://link.publicate.it/pub/05c7133d58fd8d
#M365 #Entra #windows11 #conditionalaccess

Authentication Strengths in Microsoft Entra ID allows you to granularly define authentication requirements for different situations.

Before authentication strengths were available, authentication requirements were defined globally for the entire tenant, and then conditional access policies could just say that multi-factor authentication was required, for example. But it was not possible to define what type of multifactor authentication was required. So anything that was available globally could be used by all users in all situations.

Which was not optimal. There are situations where a less secure authentication method like SMS or TOTP might be enough. But there are situations where we only want to use very secure authentication methods like FIDO2 when someone is logging into a global admin account for example.

Such granularity was not possible before. If SMS authentication was enabled for a given tenant, even the global admin could use SMS for authentication.

Watch my YouTube video bellow for more details 👇 👇
https://youtu.be/8sIX19pbdho

#cswrld #cybersecurity #entraid #authentication #authenticationstrength #conditionalaccess

RECOMMENDED CONDITIONAL ACCESS POLICIES IN MICROSOFT ENTRA ID

Conditional access policies in Microsoft Entra ID allow for very granular security management. The problem is that organizations usually do not have conditional access policies properly defined. There tend to be blind spots, policies don’t cover all applications, all users, and all scenarios.

Many organizations have conditional access policies defined but do not think about them properly. This is because they often target only specific applications or specific users. And when I ask them why the MFA policy only targets Office 365 for example, they tell me they don’t use anything else. Or when I ask why they only target one group of users, they tell me that other users don’t use cloud services.

But that’s just the wrong approach. You are not primarily protecting the services from your users, but from attackers. And just because you don’t use anything other than Office 365 doesn’t mean an attacker will not use it. Or just because some users don’t use cloud services doesn’t mean those accounts can’t be exploited by an attacker. If those apps or accounts exist in the cloud, they need to be protected whether regular users use them or not. Attackers are looking for the most insecure places, the weakest links.

📺 Watch my YouTube video bellow where I talk about the conditional access policies that I recommend implementing 👇 👇
https://youtu.be/LtIgFBDJzXs

#cswrld #videotutorial #entraid #conditionalaccess #recommendation