Based on the excellent work in this blog article I implemented a standard for conditional access that we plan to use across clients. It attempts to balance the security lock down with breaking as few things as possible.
You need to create and populate the following groups
| CA-Excluded | No Conditional Access rules applied to members |
| CA-Service Accounts | Can only authenticate from trusted IP named locations |
| CA-International Users | Users who can connect from pre-defined trusted countries |
Below is an outline of the policies:
| BLOCK – Legacy Authentication | ||
| Support Impact | If not added to CA-Excluded group, legacy mobile devices (non modern auth, old iOS/Android) may be blocked | |
| Control | Block | |
| Included Groups | All Users | |
| Excluded Groups | CA-Excluded CA-Service Accounts | |
| Included Cloud Apps | All Cloud Apps | |
| Excluded Cloud Apps | None | |
| Client App Types | ExchangeActiveSync other | |
| Included Locations | Any location | |
| Excluded Locations | None |
| BLOCK – Outside US | ||
| Support Impact | If connecting from outside US will be blocked unless in CA-International Users group | |
| Control | Block | |
| Included Groups | All Users | |
| Excluded Groups | CA-Excluded CA-International Users | |
| Included Cloud Apps | All | |
| Excluded Cloud Apps | None | |
| Client App Types | All | |
| Included Locations | Any Location | |
| Excluded Locations | United States |
| BLOCK – Service Accounts (Trusted Locations Excluded) | ||
| Support Impact | If a service account that needs to be exempted is either not in the CA-Service Accounts group or is not coming from a trusted IP, some functions and applications may fail. Example: IMAP mailbox polling | |
| Control | Block | |
| Included Groups | CA-Service Accounts | |
| Excluded Groups | CA-Excluded | |
| Included Cloud Apps | All | |
| Excluded Cloud Apps | None | |
| Client App Types | All | |
| Included Locations | All | |
| Excluded Locations | Trusted Named IP Locations |
| BLOCK – MFA for International Users | ||
| Support Impact | Requires those in the CA-International Users group to MFA | |
| Control | Block | |
| Included Groups | CA-International Users | |
| Excluded Groups | CA-Excluded | |
| Included Cloud Apps | All Cloud Apps | |
| Excluded Cloud Apps | None | |
| Client App Types | Browser Mobile Apps and Desktop Clients | |
| Included Locations | All Locations | |
| Excluded Locations | Trusted Named Country Locations |
| GRANT – MFA for All Other Users | ||
| Support Impact | MFA required for all locations and applications. Users who are excluded should be added to the CA-Excluded group | |
| Control | Require MFA | |
| Included Groups | All | |
| Excluded Groups | CA-Excluded CA-Service Accounts | |
| Included Cloud Apps | All | |
| Excluded Cloud Apps | Microsoft Intune Microsoft Intune Enrollment | |
| Client App Types | Browser Mobile Apps and Desktop Clients | |
| Included Locations | All | |
| Excluded Locations | None |