| title | description | ms.service | ms.subservice | ms.topic | ms.date | ms.author | author | manager | ms.reviewer |
|---|---|---|---|---|---|---|---|---|---|
Conditional Access - Block access |
Create a custom Conditional Access policy to Block access |
entra-id |
conditional-access |
how-to |
07/18/2023 |
joflore |
MicrosoftGuyJFlo |
amycolannino |
calebb, lhuangnorth |
For organizations with a conservative cloud migration approach, the block all policy is an option that can be used.
Caution
Misconfiguration of a block policy can lead to organizations being locked out.
Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as Conditional Access report-only mode and the What If tool in Conditional Access when making changes.
[!INCLUDE active-directory-policy-exclusions]
The following steps will help create Conditional Access policies to block access to all apps except for Office 365 if users aren't on a trusted network. These policies are put in to Report-only mode to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policies apply as they intend, they can switch them to On.
The first policy blocks access to all apps except for Microsoft 365 applications if not on a trusted location.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps, select the following options:
- Under Include, select All cloud apps.
- Under Exclude, select Office 365, select Select.
- Under Conditions:
- Under Conditions > Location.
- Set Configure to Yes
- Under Include, select Any location.
- Under Exclude, select All trusted locations.
- Under Client apps, set Configure to Yes, and select Done.
- Under Conditions > Location.
- Under Access controls > Grant, select Block access, then select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
A second policy is created below to require multifactor authentication or a compliant device for users of Microsoft 365.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include > Select apps, choose Office 365, and select Select.
- Under Access controls > Grant, select Grant access.
- Select Require multifactor authentication and Require device to be marked as compliant select Select.
- Ensure Require one of the selected controls is selected.
- Select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
Note
Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
Determine effect using Conditional Access report-only mode
Use report-only mode for Conditional Access to determine the results of new policy decisions.