TTechclick ⚡ XP 0% All lessons
Azure · Identity · Entra ID & Conditional AccessInteractive · L1 / L2 / L3

Microsoft Entra ID & Conditional Access: — The Identity Firewall for the Cloud

In the cloud there is no network wall to hide behind — your apps live on the internet and every login lands straight at the door. Microsoft Entra ID is that door, and Conditional Access is the if-then guard who checks who you are, what device you are on, and where you are coming from before letting you in. This lesson builds the mental model the whole identity-security story stands on.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Entra ID & Conditional Access for L1/L2 engineers and the SC-300 / AZ-500 exam: why identity is the new perimeter, how a Conditional Access if-then policy works, risk-based Zero Trust, and safe baseline policies.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Identity is the perimeter

Why the login, not the firewall, is the wall now.

 2

The if-then engine

Signals in, controls out — the anatomy of a CA policy.

 3

Risk-based Zero Trust

ML risk scores, report-only, and the three ZT rules.

 4

Building safe policies

Baselines, break-glass, named locations, no lockout.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. An attacker phishes Rahul's correct Microsoft 365 password but has no MFA and a random laptop. With a "require MFA + compliant device" Conditional Access policy on, what happens?

Answered in Identity is the perimeter.

2. A Conditional Access policy says: IF user is an admin, THEN require MFA. Which part is the "signal" and which is the "control"?

Answered in Risk-based Zero Trust.

3. You want to see who a brand-new blocking policy WOULD have hit, without actually blocking anyone yet. Which mode do you create it in first?

Answered in The if-then engine.

Most engineers think…

Most engineers first hear "we turned on MFA, so we're secure" and picture a single tickbox that protects everything. They think MFA on the user account is the whole story.

Wrong — and that gap is exactly how accounts still get breached with MFA enabled. MFA is just one control. The real engine is Conditional Access: an if-then policy that looks at who you are, what device you're on, where you're coming from and how risky the sign-in looks, and only then decides whether to grant, challenge with MFA, or block. And if you leave legacy authentication (IMAP/POP3/SMTP) open, attackers simply use a protocol that can't do MFA — MFA becomes a front door with the back door wide open. The policy engine, not the tickbox, is the security.

① Identity is the perimeter — the cloud control plane

Picture Sneha, an L1 cloud-support engineer at Infosys. Ten years ago, "secure the company" meant guarding the network perimeter — a hardware firewall around the office, a VPN to get inside, and the rule "if you're on the inside network, you're trusted." But Sneha's company now runs on Microsoft 365, Azure and a dozen SaaS apps. Those apps don't live behind her firewall anymore — they live on the public internet, and every employee logs into them from home, a cafe, or a phone.

So where is the wall now? There isn't a network one. When the apps and the users are both on the internet, the only thing standing between an attacker and the data is the login. That is the shift this whole lesson rests on: identity is the new perimeter, and the control plane — the place security decisions get made — moved from the network edge to the identity layer.

The system that owns that identity layer for Microsoft is Microsoft Entra ID — which you will still hear called by its old name, Azure Active Directory (Azure AD). Entra ID is the identity provider (IdP) that sits in front of M365, Azure and SaaS: when you sign in to Outlook or the Azure portal, you are really signing in to Entra ID, which then issues a token the app trusts.

👉 So far: apps moved to the internet, so the network wall is gone and the login is the only door. Next: the cast of identities Entra ID actually manages.

Entra ID doesn't just hold human users. Learn this cast — interviews and the exam test it: Users (people like Sneha) and Groups (bundles you assign access to, so you manage 5,000 people as 12 groups). App registrations let your own or third-party apps use Entra ID to sign people in. A service principal is the "user account for an app." And a managed identity is a passwordless identity Azure gives a resource (like a VM) so it can call other services without a secret in code — the cure for hard-coded keys.

Figure 1 — The perimeter moved from the network edge to the login
In the cloud the firewall no longer surrounds your apps — every login goes straight to the internet, so identity is the only perimeter left A two-world comparison. On the left, the old on-prem world: users sit inside an office, a hardware firewall draws a trusted boundary around the data centre, and being inside the network is treated as being trusted. On the right, the cloud world: users connect from home, cafe and mobile over the public internet directly to Microsoft 365, Azure and SaaS apps, so there is no network boundary to hide behind. Microsoft Entra ID sits in front of every app as the identity provider checking who you are. Red marks untrusted paths, blue marks the verified identity boundary, amber marks the Entra ID decision point. The perimeter moved — from the network edge to the login Old world — network is the wall users in office "trusted" — inside the firewall 🧱 firewall app + data inside = trusted → one stolen VPN cred roams free but the apps already moved out of this box… Cloud world — identity is the wall home laptop cafe wifi mobile phone Entra IDidentity providerwho are you? Microsoft 365 Azure SaaS (Salesforce…) every request passes the identity check first — no inside MFA + Conditional Access decide at this gate a stolen password alone no longer wins untrusted / attackertrusted / verifiedpolicy / decisionkey insightallowed / granted
Read both halves for the same company. Left (old): a firewall draws a trusted boundary and "inside = trusted." Right (cloud): users and apps are both on the internet, so every request hits the Entra ID identity gate first — there is no inside to hide in.

The four identity types in Entra ID

Tap each card — these are the objects you will create, assign and troubleshoot every day, and they show up across SC-300 and AZ-500.

👤
User & Group
tap to flip

A user is a person; a group bundles many. You assign access (and CA policies) to groups, not one-by-one. So: 5,000 people managed as a handful of groups.

📋
App registration
tap to flip

Defines an app to Entra ID — its identity, redirect URIs and permissions. So: this is how an app gets to use "Sign in with Microsoft".

🤖
Service principal
tap to flip

The "user account for an app" — the identity a registered app uses to authenticate. So: when a script breaks with 401, you check the service principal, not a person.

🔑
Managed identity
tap to flip

A passwordless identity Azure manages for a VM/Function so it calls services with no stored secret. So: the fix for hard-coded keys in code.

Daily-life analogy — Aadhaar instead of the society gate

The old model is a society gate-pass register: once the guard waves you through the front gate, you can walk into any flat — being "inside the gate" is treated as trusted. The cloud model is Aadhaar-OTP verification at every counter: it doesn't matter which gate you came through; the bank, the SIM shop and the gas office each verify you directly before serving you. Entra ID is that Aadhaar authority, and Conditional Access is the clerk deciding whether your OTP alone is enough or they need more proof today.

Quick check · Q1 of 10

A developer at TCS hard-codes a storage key in a VM's code, and a security review flags it. Which Entra ID identity type is the right fix so the VM can reach the storage account with no secret in the code?

Correct: a. A managed identity is an Entra ID identity Azure manages for the resource itself, so the VM authenticates with no password or key stored anywhere — exactly the cure for hard-coded secrets. A shared user account is still a password; putting the key in an app registration just relocates the secret; a guest user is for external people, not a VM.

Pause & Predict

Predict: if "inside the network = trusted" is dead, what is the single thing an attacker now needs most to get into a cloud tenant — and what one extra check defeats a stolen copy of it? Type your guess.

Answer: They need a valid identity — most often a username and password (phished or sprayed). The one extra check that defeats a stolen password is proving something the attacker doesn't have: a second factor (MFA) and/or a trusted device. That is exactly what Conditional Access adds on top of the password — which is why the rest of this lesson is about the policy engine, not the password.

② Conditional Access — the if-then policy engine

Here is the one sentence that unlocks Conditional Access: a CA policy is an if-then statement. IF these signals are true, THEN apply these controls. That's it. Everything else is detail. Microsoft's own docs describe it as combining signals to make a decision and enforce a policy.

The signals (the IF side, called Assignments and Conditions in the portal) include: user or group (who), device state (managed/compliant or not), location (the IP and country the sign-in comes from), the app being accessed, the client app, and the sign-in risk. The controls (the THEN side) include: require MFA, require a compliant device, require a hybrid-joined device, block access, or session limits.

Two rules about how they combine, both exam-favourites. First, all assignments combine with AND — if a policy targets "admins" and "the Azure portal," the user must be an admin and hitting the Azure portal for it to fire. Second, when several policies apply, all of them must be satisfied, and if any matching policy says block, block wins. Enforcement runs in two phases: phase 1 collects the signals (this also happens for report-only policies), and phase 2 enforces — block stops first, otherwise the user is prompted for the missing controls in a fixed order (MFA, then compliant device, then hybrid join…).

Figure 2 — One sign-in through the if-then engine
A Conditional Access policy is an if-then engine: it gathers signals, checks them against the policy, then grants, challenges or blocks the sign-in A left-to-right evaluation pipeline for one sign-in. Step 1 a user signs in and Entra ID collects signals: user and group, device state, location and IP, the target app, and the sign-in risk from Identity Protection. Step 2 the Conditional Access policy engine checks those signals against if-then rules in two phases — phase 1 collect, phase 2 enforce. Step 3 it produces one of three outcomes: grant directly, grant only after a control such as require MFA or require a compliant device, or block access. Amber marks the decision engine, green marks an allowed result, red marks a blocked result. One sign-in through the if-then engine 1 · Signals (IF) user / group device state location / IP target app sign-in risk (ML) all combined with AND 2 · CA policy enginephase 1: collect detailsphase 2: enforce controlsif these signals → then thiscontrol (the "THEN")Policy Engine (NIST 800-207) ✓ Granttrusted signals → straight in ⚷ Grant + controlrequire MFA / compliant device ✗ Blockrisky / disallowed → denied Key idea: the password got you to the gate — the policy decides if you actually pass through it untrusted / attackertrusted / verifiedpolicy / decisionkey insightallowed / granted
Follow left to right: signals (the IF) feed the policy engine, which is the NIST 800-207 "Policy Engine"; it outputs one of three results — grant, grant-after-a-control, or block. The password got you to the gate; the policy decides if you pass.
🖥️ This is the screen you build it on — Microsoft Entra admin center → Entra ID → Conditional Access → Policies → New policy. (Recreated for clarity — your console matches this.)
entra.microsoft.com · Conditional Access · New policy
1
Name
CA002 - Require MFA for admins
2
Assignments → Users (Include)
Directory roles: Global Administrator + 8 admin roles
3
Assignments → Users (Exclude)
Group: BreakGlass-EmergencyAccess
Target resources
Cloud apps: All resources (formerly All cloud apps)
Conditions → Sign-in risk
Not configured
4
Access controls → Grant
Grant access · Require multifactor authentication
5
Enable policy
Report-only
Create

You can also drive Conditional Access as code — useful for review, version control and the exam's automation angle. Here is the same "require MFA for admins" idea expressed as a Microsoft Graph policy body, the shape the portal saves behind the scenes.

Microsoft Graph — create a CA policy in report-only state (PowerShell)
# Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
  displayName = "CA002 - Require MFA for admins"
  state       = "enabledForReportingButNotEnforced"   # report-only
  conditions  = @{
    users        = @{ includeRoles = @("62e90394-69f5-4237-9190-012177145e10") }  # Global Admin
    applications = @{ includeApplications = @("All") }
  }
  grantControls = @{ operator = "OR"; builtInControls = @("mfa") }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Expected output
Id                                   DisplayName                    State
--                                   -----------                    -----
8f3c1a92-...-4d2e-bb7a-19c0e7f2a6b1  CA002 - Require MFA for admins enabledForReportingButNotEnforced
Common mistake — "I required compliant device AND MFA, now nobody can log in"

Symptom: you tick both Require compliant device and Require MFA and leave the default Require all the selected controls, then users on personal phones are locked out even with correct MFA. Cause: "all selected" means the device must be Intune-compliant too, and BYOD phones aren't. Fix: decide whether you mean AND (both) or OR (either) — switch to Require one of the selected controls if a compliant device or MFA is acceptable, and roll it out in report-only first to see who it would have blocked.

Quick check · Q2 of 10

A policy at Wipro targets "Finance group" AND "the SAP app" AND requires MFA. Priya is in Finance but is opening Outlook, not SAP. Does the policy require her to do MFA right now?

Correct: b. Conditional Access combines all assignments with AND. The policy fires only when the user is in Finance AND the app is SAP. Priya is in Finance but in Outlook, so the SAP condition isn't met and this policy doesn't apply to that sign-in. Being in the group alone, or the app being any app, would each be an OR — which CA does not do across assignments.

Pause & Predict

Predict: two CA policies apply to the same sign-in — Policy A says "grant with MFA," Policy B says "block this country." The user does MFA successfully. Are they in? Type your guess.

Answer: No — they are blocked. When multiple policies apply, every one must be satisfied, and a block control always wins over a grant. Policy B's block stops the sign-in regardless of how well the user satisfied Policy A's MFA. This is why "block" policies are powerful and need careful scoping — and why you test them in report-only first.

③ Risk-based access & Zero Trust

So far the signals were static facts (who, what device, where). The most powerful signal is dynamic: how risky does this sign-in look right now? That comes from Microsoft Entra ID Protection, which runs machine-learning models over Microsoft's sign-in telemetry and produces two scores.

Sign-in risk rates a single login attempt: is this an impossible-travel case, an anonymous/Tor IP, an unfamiliar device, a token-replay? User risk rates the account itself over time: did this user's credentials show up in a leaked-credentials dump, or is there a pattern of risky activity? Each is scored low / medium / high.

Now the clever part: risk-based Conditional Access uses those scores as the IF. A common pair: IF sign-in risk is high → require MFA (prove it's really you), and IF user risk is high → require a secure password change (the credential may be in attackers' hands, so rotate it). Microsoft is moving the legacy Identity-Protection risk policies into Conditional Access — the standalone risk policies retire on 1 October 2026, so build new ones in CA where you get report-only mode and Graph APIs.

👉 So far: ID Protection scores risk, and risk-based CA acts on it. Next: how all of this is Zero Trust — and why you always test before you enforce.

This is Zero Trust in practice. Zero Trust has three rules, and Conditional Access implements each one directly. Verify explicitly — check identity, device, location and risk on every request (that's the signals). Use least privilege — grant only what's needed, with session limits and just-in-time access. Assume breach — treat a risky sign-in as already compromised and demand more proof or block. In NIST SP 800-207 terms, the CA engine is the Policy Engine (it decides) and Entra ID is the Policy Enforcement Point (it acts).

Figure 3 — Conditional Access is the if-then guard at every door
Same stolen password, two outcomes: with password-only auth the attacker walks in; with Conditional Access the wrong device and risky location get blocked A decision comparison for an attacker who has phished Rahul's correct password. Left column, password-only: Entra ID checks only the password, it is correct, so access is granted and the mailbox is breached. Right column, Conditional Access on: the same correct password is checked, then the policy evaluates extra signals — the device is unmanaged and non-compliant, the location is an unfamiliar country, and Identity Protection flags the sign-in as high risk — so the policy requires a compliant device and MFA, the attacker has neither, and access is blocked. Red marks the breach path, green marks the blocked-and-safe path, amber marks the policy decision. "Right password, wrong device" — why the password is not enough Password only (no Conditional Access) attacker + phished pwd check password✓ correct nothing else is checked ⚠ access GRANTED mailbox + files breached from anywhere on any laptop, from any country the 1990s model — perimeter is gone Conditional Access ON attacker + pwd✓ correct policy checks more signalsdevice: unmanaged ✗location: unfamiliar country ✗sign-in risk: HIGH ✗→ require compliant device + MFA ✓ access BLOCKED — safe attacker has no compliant device, no MFA token Rahul on his managed laptop sails through untrusted / attackertrusted / verifiedpolicy / decisionkey insightallowed / granted
The three Zero Trust rules mapped onto the CA decision: verify explicitly (read the signals), assume breach (risk → block or step-up), least privilege (limit the session). The same correct password gets two different verdicts depending on the signals.

▶ Watch a risky sign-in get caught

Karthik at HCL is the target. An attacker in another country has phished his password and tries to log into Microsoft 365. Follow the sign-in through Entra ID and the risk-based policy, step by step. Press Play for the healthy path, then Break it to see the failure.

① Passwordattacker submits Karthik's phished password → it is correct; old model would stop here
② SignalsEntra ID gathers signals: device unmanaged, location unfamiliar country, token from a new IP
③ Risk scoreID Protection ML returns sign-in risk = High (impossible travel + unfamiliar device)
④ Enforcerisk-based CA fires: require MFA; attacker has no second factorblocked
Press Play to step through the healthy path. Then press Break it.
Always test before you enforce — report-only mode

Never flip a new policy straight to On across all users. Create it in Report-only mode (the default for new policies): Entra ID evaluates it on every sign-in and records what it would have done, without enforcing. After a few days, read Entra ID → Sign-in logs → Conditional Access tab (and the What If tool) to see exactly who it would have blocked or challenged. Only when the impact looks right do you move Enable policy from Report-only to On. Report-only policies don't even need the break-glass exclusion, because they never block.

Meera at ICICI faces this

Meera, an L2 identity analyst, sees an alert: a Global Admin account signed in successfully from Bengaluru at 09:14 and again from Lagos at 09:31 — a physically impossible gap. The Lagos session is already reading the mailbox.

Likely cause

Credentials were phished. Sign-in risk for the Lagos attempt is High (impossible travel + unfamiliar device), but the tenant had only a plain "require MFA" policy that the attacker satisfied with a stolen session token — there was no risk-based step-up or block, and no Identity Protection user-risk policy to force a password reset.

Diagnosis

She separates the signals from the controls: the MFA control existed, but no policy used the risk score, so a high-risk sign-in was treated like a normal one. She confirms the risk level and detections in Identity Protection.

Microsoft Entra admin center → Protection → Identity Protection → Risky sign-ins (and Risky users)
Fix

Build a risk-based CA policy — IF sign-in risk is High → block (or require MFA + reauth) — and a user-risk policy — IF user risk is High → require secure password change. Confirm the account, revoke its sessions, and roll the new policies out from report-only to On.

Verify

Replay via the What If tool with sign-in risk = High → the policy now shows "Block"; the next impossible-travel attempt on any account is denied and the user is forced to reset, visible in the Sign-in logs Conditional Access tab.

Quick check · Q3 of 10

Aditya wants two things: a sign-in that looks fraudulent should be challenged, and an account whose password leaked online should be forced to reset. Which pair of risk-based controls matches?

Correct: c. Sign-in risk is about THIS attempt, so the right step-up is to prove identity with MFA. User risk is about the account/credential being compromised over time (e.g. leaked credentials), so the fix is to rotate the credential with a secure password change. Swapping them misapplies each control; block-only is heavier than needed for medium cases and hurts usability; log-only protects nothing.

Pause & Predict

Predict: which Zero Trust principle is most directly broken if you trust "the user is signing in from our office IP range" and skip MFA for those sign-ins? Type your guess.

Answer: "Verify explicitly" — and really "assume breach" too. Treating an IP/location as automatically trusted is the old perimeter thinking: an attacker inside that network, or spoofing/proxying through it, inherits the trust. Zero Trust says verify every request on its own merits (identity + device + risk), not its source address. Named locations are fine as one signal to reduce friction, but they should never be the only gate.

④ Building safe policies — baselines, break-glass & gotchas

Now you build. A sane starting estate is a small set of baseline policies that every Microsoft identity guide recommends. (1) Block legacy authentication for all users. (2) Require MFA for admins (all the privileged directory roles). (3) Require MFA for all users. (4) Risky sign-in → require MFA (and risky user → password change). Many tenants now also get Microsoft-managed policies rolled out automatically in report-only — review and adopt those too.

Why is block legacy authentication rule number one? Old protocols — IMAP, POP3, SMTP AUTH, the Office 2010-era clients — cannot perform MFA. So if you require MFA for users but leave legacy auth open, an attacker just connects over IMAP with the phished password and skips MFA entirely. Microsoft's own data attributes more than 99% of password-spray attacks to legacy authentication. Leaving it on turns your MFA into a front door with the back door propped open.

The single most important safety step before you enforce anything: the break-glass (emergency access) account. Microsoft recommends two cloud-only Global Admin accounts that you exclude from every blocking CA policy, protect with phishing-resistant MFA (FIDO2), and alert on for every single use. Without this, one typo in a block policy can lock out all your admins — a real, common disaster.

Common mistake — locking every admin out of the tenant

Symptom: you enable "Require compliant device for all users," and minutes later no one, including you, can sign in to the Entra admin center — the admins' own laptops weren't Intune-enrolled yet. Real teams have done exactly this; recovery means opening a Microsoft support case to bypass the policy. Fix BEFORE you enforce: (1) keep two break-glass accounts excluded from the policy, (2) roll out in report-only first and read the impact, (3) scope to a pilot group before "all users." The exclusion list is what saves you at 2 a.m.

Two more building blocks. Named locations let you define your office IP ranges or specific countries once and use them as a signal (e.g. "block sign-ins from countries we never operate in"). But location is a weak signal — IPs can be spoofed or proxied — so use it to reduce friction, never as the only gate. And remember the legacy-auth backdoor: if any policy or app still allows basic auth, your strongest MFA policy can be sidestepped, so the block-legacy-auth policy underpins all the others.

Figure 4 — Conditional Access — the cheat-sheet
Conditional Access on one card — the signals you can match, the controls you can require, the safety rules, and a starter policy set A nine-tile cheat sheet. Tiles cover the IF signals (user, device, location, app, risk), the THEN controls (require MFA, require compliant device, block, session limits), the report-only safety step, the break-glass exclusion rule, named locations, the block-legacy-auth rule, the starter policy set of four baseline policies, the two phases of evaluation, and the certification mapping to SC-300 and AZ-500. Conditional Access — your one-glance card IF — signals you matchuser/group · device state · location/IPcloud app · client app · sign-in riskall combined with AND THEN — controlsrequire MFA · require compliant devicerequire hybrid join · block accesssession: sign-in freq · no persist Test before enforcecreate in Report-only mode firstread Sign-in logs → CA tabthen flip Enable policy → On Break-glass rule2 cloud-only Global Admin accountsEXCLUDE from blocking CA policiesFIDO2 + alert on every use Named locationsdefine office IP ranges / countriesmark trusted · use as a signalnever trust IP alone — spoofable Block legacy authIMAP / POP3 / SMTP AUTH skip MFA>99% of password-spray uses itblock it or MFA is a backdoor Starter policy set (build these 4)1· Block legacy authentication (all users)2· Require MFA for admins (admin roles)3· Require MFA for all users4· Risky sign-in → require MFA + pwd change…all EXCLUDING the break-glass accounts Two phases + exam mapphase 1 = collect signals (also report-only)phase 2 = enforce; block wins, else MFA→deviceSC-300: implement Conditional Access + riskAZ-500: secure identity & access (15-20%)
Your one-card map of this whole lesson — the IF signals, the THEN controls, report-only safety, the break-glass rule, named locations, block legacy auth, the starter 4-policy set, the two phases, and the SC-300 / AZ-500 mapping. Keep it open in your first week.
Azure CLI — confirm legacy auth is actually being blocked (read sign-in logs)
az ad signed-in-user show --query userPrincipalName -o tsv
# review last 24h of legacy-auth sign-ins (clientAppUsed = IMAP/POP/SMTP/Other)
az monitor activity-log list --offset 24h \
  --query "[?contains(operationName.value,'Sign-in')].{user:caller, app:properties.clientAppUsed, result:status.value}" \
  -o table
Expected output
UserPrincipalName
sneha.k@infosys-tenant.onmicrosoft.com

User                              App                    Result
--------------------------------  ---------------------  -------
rahul.m@infosys-tenant...         Browser                Success
svc-backup@infosys-tenant...      Other clients (legacy) Failure  <- blocked by CA001
Daily-life analogy — the spare key with the building manager

The break-glass account is the spare flat key sealed in an envelope with the building manager. You never use it day-to-day, it isn't tied to any one resident, and there's a logbook entry every time the envelope is opened. The day your normal key snaps in the lock (a bad CA policy locks everyone out), that sealed spare is the only thing that gets you back in. Excluding it from your blocking policies is what keeps the envelope sealed and usable.

Quick check · Q4 of 10

You're about to enable a brand-new "block access from outside India" policy for all users. What MUST be true first so you don't lock yourself and every admin out?

Correct: d. The break-glass exclusion plus a report-only dry run are exactly what prevent a tenant-wide lockout: an emergency account can always get in, and report-only shows the impact before enforcement. Block policies do NOT apply safely by default — that's the danger; deleting other policies removes your other protections; disabling MFA makes you less secure, not safe.

Pause & Predict

Predict: you have a perfect "require MFA for all users" policy, but you never created a block-legacy-authentication policy. Where does the attacker walk in? Type your guess.

Answer: Through legacy authentication. Protocols like IMAP, POP3 and SMTP AUTH can't perform MFA, so the engine has no way to challenge them — the attacker connects with just the phished password over one of those protocols and your MFA policy never even gets a chance to fire. That's why "block legacy auth" is policy #1: without it, the MFA policy is a front door with the back door open.
Next: Microsoft Defender for Cloud — CSPM + workload protection
Prove you own Conditional Access

Cold, in 30 seconds: state a CA policy as IF (name three signals) → THEN (name three controls); explain why "right password, wrong device" gets blocked; name the four baseline policies; and explain what a break-glass account is and why it's excluded from blocking policies. If you can do that without notes, you're ready for the next lesson and for the Conditional Access objectives of SC-300 and the identity domain of AZ-500.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Azure docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In the cloud security model this lesson teaches, what is considered the new perimeter — the place security decisions are made?

Correct: c. When apps and users both live on the internet, there is no network wall to hide behind, so identity (the login) becomes the perimeter and Entra ID + Conditional Access enforce it. The firewall, VPN and router are network-layer controls that no longer surround the cloud apps.
Q6 · Apply

A developer needs an Azure VM to read from a storage account without any secret stored in the code. Which Entra ID identity should they use?

Correct: a. A managed identity is an Entra ID identity Azure manages for the resource, so the VM authenticates with no password or key in code — exactly the requirement. A shared user account and an app registration holding the key both still store a secret; a guest user is for external people, not a VM.
Q7 · Apply

You must roll out a strict new "block sign-ins from outside India" policy without risking a tenant-wide lockout. What do you do first?

Correct: b. Report-only shows the impact without enforcing, and an excluded break-glass account guarantees you can always get back in — the two safe-rollout habits. Enabling for everyone at once is the classic lockout cause; deleting other policies removes your protections; disabling MFA makes you less secure, not safer.
Q8 · Analyze

A tenant has a flawless "require MFA for all users" policy but no policy targeting legacy authentication. An attacker has a phished password. Where do they most likely get in, and why?

Correct: a. Legacy protocols cannot perform MFA, so a connection over IMAP/POP3/SMTP with the correct password is never challenged — the MFA control has no way to apply. That is exactly why "block legacy authentication" is the first baseline policy. The browser path would trigger MFA; the MFA policy does NOT cover legacy clients; the Azure portal does honour CA.
Q9 · Analyze

Two Conditional Access policies apply to one sign-in: Policy A grants access after MFA; Policy B blocks the user's current country. The user completes MFA successfully. What is the result, and why?

Correct: d. When several policies apply, every one must be satisfied, and any matching block control stops the sign-in regardless of how well other policies were met. Policy B's block overrides Policy A's grant-after-MFA. Policies never "cancel out," and the default is not allow once a block policy matches.
Q10 · Evaluate

Two engineers describe Conditional Access to a hiring manager. (A) "It's MFA plus a nicer admin screen." (B) "It's an if-then policy engine that combines signals — user, device, location, risk — with controls like require MFA, require a compliant device or block, implementing Zero Trust's verify-explicitly and assume-breach." Which is stronger and why?

Correct: b. B explains the cause — an if-then engine combining multiple signals with multiple controls, mapped to Zero Trust principles — which is the architecture SC-300 and AZ-500 (and the job) test. A reduces CA to "MFA with a GUI," missing device/location/risk signals, the block control, report-only rollout and the Zero Trust framing entirely.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a Conditional Access policy with "require MFA" still let an attacker in if you never blocked legacy authentication? Then compare to the expert version.

Expert version: Because legacy protocols like IMAP, POP3 and SMTP AUTH can't perform MFA, so an attacker using one of them connects with just the phished password and the MFA control never even gets a chance to fire — which is why "block legacy auth" is the first baseline policy.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Microsoft Entra ID (Azure AD)
Microsoft's cloud identity provider (renamed from Azure Active Directory in 2023). Authenticates users and apps for M365, Azure and SaaS.
Service principal
The "user account for an app" — the identity a registered application uses to authenticate to Entra ID.
Managed identity
A passwordless Entra ID identity Azure manages for a resource (VM, Function) so it calls other services with no stored secret.
Conditional Access (CA)
An if-then policy engine: IF these signals are true, THEN apply these access controls. The cloud "identity firewall."
Signals → Controls
The two halves of a CA policy: signals are the IF (user, device, location, app, risk); controls are the THEN (require MFA, require compliant device, block, limit session).
MFA
Multifactor authentication — a second proof beyond the password (Authenticator approval, FIDO2 key, or code).
Entra ID Protection
ML-driven feature that scores sign-in risk and user risk and feeds those scores to Conditional Access (needs P2).
Sign-in risk / User risk
Sign-in risk rates one login attempt (impossible travel, anonymous IP); user risk rates the account over time (leaked credentials). Each low/medium/high.
Report-only mode
A CA policy state that evaluates and logs what it WOULD do on every sign-in without enforcing — the safe way to test impact first.
Break-glass account
Two cloud-only Global Admin accounts, excluded from blocking CA policies, kept for the emergency where all normal admins are locked out.
Legacy authentication
Old protocols (IMAP, POP3, SMTP AUTH, Office 2010 clients) that can't do MFA — a backdoor unless explicitly blocked.
Zero Trust
A model (NIST SP 800-207) that drops the trusted internal network and verifies every request explicitly: verify explicitly, least privilege, assume breach.

📚 Sources

  1. Microsoft Learn — "Build a Conditional Access policy" (if-then statement of Assignments + Access controls; assignments combine with AND; phase 1 collect / phase 2 enforce; control order MFA → compliant device → hybrid join). learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
  2. Microsoft Learn — "Conditional Access: Grant" (grant controls: require MFA, require compliant device (Intune), require hybrid joined device, block; require all vs require one of the selected controls). learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant
  3. Microsoft Learn — "Microsoft Entra ID Protection risk-based access policies" + "Configure risk policies" (sign-in risk vs user risk, low/medium/high; risk-based CA; legacy ID-Protection risk policies retire 1 Oct 2026; build in CA for report-only + Graph). learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies · learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies
  4. Microsoft Learn — "Manage emergency access admin accounts" + "Block legacy authentication with Conditional Access" (two cloud-only Global Admin break-glass accounts excluded from blocking policies, FIDO2, alert on use; >99% of password-spray uses legacy auth — block IMAP/POP3/SMTP). learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access · learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication
  5. Microsoft Q&A — "All admins locked out due to faulty conditional access policy" (real lockout from a blocking policy with no break-glass exclusion; recovery via Microsoft support bypassing CA) + Azure Blog "Mandatory MFA Phase 2, October 2025." learn.microsoft.com/en-us/answers/questions/1003487/ · azure.microsoft.com/en-us/blog/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025/
  6. NIST SP 800-207 "Zero Trust Architecture" (verify explicitly, least privilege, assume breach; Policy Engine / Policy Administrator / Policy Enforcement Point) + SC-300 and AZ-500 study guides (Conditional Access + Identity Protection objectives). csrc.nist.gov/pubs/sp/800/207/final · learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-300 · learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-500

What's next?

You can now lock the front door with identity. But what watches the rooms inside — the VMs, storage, containers and the misconfigurations attackers love? Next we turn on the cloud's security camera and posture scanner.

Next · Microsoft Defender for Cloud: CSPM + Workload Protection → Practice on exam.techclick.in →