How to Design Bullet-Proof Conditional Access Policies in Microsoft Entra ID cover art

How to Design Bullet-Proof Conditional Access Policies in Microsoft Entra ID

How to Design Bullet-Proof Conditional Access Policies in Microsoft Entra ID

Listen for free

View show details

About this listen

 If you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.🎧 Hit play, your tenant will thank you.Sponsored by:Entra ID Gaps That Cause OutagesIn Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.Teams are left asking:* Which applications can access Microsoft 365 data?* Is that access still appropriate?* Who owns the app?Unclear answers stall reviews, weaken accountability, and slow delivery.ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.Subscribe with your favorite podcast player or watch on YouTube 👇About Per TorbenPer Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.LinkedIn - https://www.linkedin.com/in/pertorbensorensen/🔗 Related Links* Agder in the Cloud - https://agder.cloud* I.D.E.A. for creating/configuring break-glass accounts* GitHub - https://github.com/Per-Torben/I.D.E.A.* Blog - https://agderinthe.cloud/2026/01/06/introducing-i-d-e-a-and-i-d-e-a-001/* Protected actions: https://agderinthe.cloud/2025/02/12/protected-actions-adding-extra-guards-to-your-entra-id-gate/* Conditional Access hardeing (series): https://agderinthe.cloud/2024/12/05/how-to-fix-the-fundamental-flaw-in-conditional-access-part-1-introduction-and-coverage-gapsCA geo filter (series): https://agderinthe.cloud/2025/11/06/diving-into-geo-filter-with-entra-conditional-access-part-1* Entra Backup - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/backup-restore📗 Chapters06:22 The importance of Break Glass accounts09:02 Securing emergency access with FIDO2 and RMAUs18:10 Configuring Conditional Access: The “Block by Default” strategy27:26 Managing scope and preventing accidental lockouts29:31 Persona-based naming conventions for CA policies35:38 Grouping settings and avoiding bloated policies41:54 Handling exceptions and travel access with Access Packages44:55 The flaw in Protected Actions for Conditional Access53:38 Using the new Entra Backup feature for quick restoresPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
No reviews yet