| title | description | ms.service | ms.subservice | ms.topic | ms.date | ms.author | author | manager | ms.reviewer |
|---|---|---|---|---|---|---|---|---|---|
Simplify Conditional Access policy deployment with templates |
Deploy recommended Conditional Access policies from easy to use templates. |
entra-id |
conditional-access |
conceptual |
06/20/2024 |
joflore |
MicrosoftGuyJFlo |
amycolannino |
lhuangnorth |
Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
:::image type="content" source="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png" alt-text="Screenshot that shows Conditional Access policies and templates in the Microsoft Entra admin center." lightbox="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png":::
Conditional Access policy templates are organized into the following categories:
Microsoft recommends these policies as the base for all organizations. We recommend these policies be deployed as a group.
- Require multifactor authentication for admins
- Securing security info registration
- Block legacy authentication
- Require multifactor authentication for admins accessing Microsoft admin portals
- Require multifactor authentication for all users
- Require multifactor authentication for Azure management
- Require compliant or Microsoft Entra hybrid joined device or multifactor authentication for all users
These policies as a group help support a Zero Trust architecture.
- Require multifactor authentication for admins
- Securing security info registration
- Block legacy authentication
- Require multifactor authentication for all users
- Require multifactor authentication for guest access
- Require multifactor authentication for Azure management
- Require multifactor authentication for risky sign-ins Requires Microsoft Entra ID P2
- Require password change for high-risk users Requires Microsoft Entra ID P2
- Block access for unknown or unsupported device platform
- No persistent browser session
- Require approved client apps or app protection policies
- Require compliant or Microsoft Entra hybrid joined device or multifactor authentication for all users
- Require multifactor authentication for admins accessing Microsoft admin portals
- Block access for users with insider risk Requires Microsoft Purview
These policies help secure organizations with remote workers.
- Securing security info registration
- Block legacy authentication
- Require multifactor authentication for all users
- Require multifactor authentication for guest access
- Require multifactor authentication for risky sign-ins Requires Microsoft Entra ID P2
- Require password change for high-risk users Requires Microsoft Entra ID P2
- Require compliant or Microsoft Entra hybrid joined device for administrators
- Block access for unknown or unsupported device platform
- No persistent browser session
- Require approved client apps or app protection policies
- Use application enforced restrictions for unmanaged devices
These policies are directed at highly privileged administrators in your environment, where compromise might cause the most damage.
- Require multifactor authentication for admins
- Block legacy authentication
- Require multifactor authentication for Azure management
- Require compliant or Microsoft Entra hybrid joined device for administrators
- Require phishing-resistant multifactor authentication for administrators
Policies in this category provide new ways to protect against compromise.
Find these templates in the Microsoft Entra admin center > Protection > Conditional Access > Create new policy from templates. Select Show more to see all policy templates in each category.
:::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Screenshot that shows how to create a Conditional Access policy from a preconfigured template in the Microsoft Entra admin center." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png":::
Important
Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to exclude other accounts, you will be able to modify the policy once they are created. You can find these policies in the Microsoft Entra admin center > Protection > Conditional Access > Policies. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude.
By default, each policy is created in report-only mode, we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy.
Organizations can select individual policy templates and:
- View a summary of the policy settings.
- Edit, to customize based on organizational needs.
- Export the JSON definition for use in programmatic workflows.
- These JSON definitions can be edited and then imported on the main Conditional Access policies page using the Upload policy file option.
- Require multifactor authentication for device registration
- Block access by location
- Block access except specific apps
[!INCLUDE active-directory-policy-exclusions]