From: Architecting Zero Trust: Crafting Baseline Conditional Access Policies with Intune
evidencestatistical

Baseline Conditional Access policies should typically enforce Multi-Factor Authentication (MFA) for administrative roles and for all users accessing sensitive cloud applications.

97% confidence

Implementing MFA is one of the most effective ways to prevent credential compromise. Baseline policies should, at minimum, target administrative roles (e.g., Global Administrator, Exchange Administrator) and require MFA for any access attempt. This mitigates the risk associated with these highly privileged accounts. Furthermore, for all users, accessing critical cloud applications like Exchange Online, SharePoint Online, or Salesforce should necessitate MFA, irrespective of location or device. This approach significantly reduces the attack surface, as even if a password is stolen, the attacker would still need the second factor of authentication. Microsoft itself strongly recommends this baseline, often providing security defaults or templates that enforce MFA for specific scenarios. Intune's role here is often in ensuring the device itself is managed and compliant before access is granted, further strengthening the MFA requirement.

Read the full exploration
What else is in this exploration
4 perspectives4 visualizations4 insights3 media resources8 rabbit holes
evidence
Conditional Access is the 'If-Then-Else' statement of Microsoft's identity security, evaluating a...
evidence
The 'Report-only' mode is crucial for testing Conditional Access policies and understanding their...
perspective
For compliance officers and legal teams, Conditional Access policies are powerful tools for meeti...
Sign up to unlock
Continue exploring
Architecting Zero Trust: Crafting Baseline Conditional Access Policies with Intune
Evidence, perspectives, rabbit holes, and more