Conditional Access is the most powerful control most organizations own and the one most likely to be quietly worked around. The failure mode isn't a weak policy — it's a policy so blunt that people invent shadow workarounds, and your real security posture ends up worse than before you tightened it.
Secure the risk, not the person
The instinct is to add friction everywhere. The better model is to spend friction where the risk actually is. A sign-in from a managed device on a known network is low risk; demanding step-up authentication for it just trains people to dismiss prompts. A sign-in from an unmanaged device in a new country is where the cost of a challenge is worth paying. Conditional Access is good at exactly this kind of targeting — use it for that, not as a blanket tax.
Make the compliant path the easy path
If the secure way to work is also the most convenient way, you've won. Device compliance, single sign-on, and passwordless authentication aren't just security features — they're the thing that makes "do it the right way" frictionless, which is what actually stops the workarounds.
Stage everything in report-only
Never ship a Conditional Access change straight to enforcement. Report-only mode tells you exactly who a policy would have blocked before it blocks anyone. The number is almost always larger and stranger than you expect — service accounts, legacy clients, an executive's travel pattern. Find those in report-only, not in a flood of help-desk tickets.
Leave a break-glass path
Every Conditional Access deployment needs excluded emergency-access accounts, monitored and tightly controlled. The day you lock yourself out of your own tenant is the day you learn why. Build the break-glass path first, test it, and alert on its use.
Originally published at athanasiuswahbah.com by Athanasius Wahbah.
Top comments (0)