Baseline Conditional Access policies should typically enforce Multi-Factor Authentication (MFA) for administrative roles and for all users accessing sensitive cloud applications.
Implementing MFA is one of the most effective ways to prevent credential compromise. Baseline policies should, at minimum, target administrative roles (e.g., Global Administrator, Exchange Administrator) and require MFA for any access attempt. This mitigates the risk associated with these highly privileged accounts. Furthermore, for all users, accessing critical cloud applications like Exchange Online, SharePoint Online, or Salesforce should necessitate MFA, irrespective of location or device. This approach significantly reduces the attack surface, as even if a password is stolen, the attacker would still need the second factor of authentication. Microsoft itself strongly recommends this baseline, often providing security defaults or templates that enforce MFA for specific scenarios. Intune's role here is often in ensuring the device itself is managed and compliant before access is granted, further strengthening the MFA requirement.