conditional access policies basics

Question

I’m relatively new to conditional access policies in Azure/Entra and associated 365 apps, and I have reviewed existing policies and noticed in the state column, there is a combination of on/off/report-only. For arguments sake if one of your CA policies linked to MFA requirements for all admin accounts accessing the admin portals, and it was set to ‘report only’, what exactly would happen – e.g., would it not prevent an admin without MFA enabled from logging into the portals, and just alert you to when this has happened? Why would you not want to enforce such as a policy, and only report? Also, some of the conditional access policies suggest that they are ‘Microsoft managed’, does this mean they are standard policies for all 365 clients, or the company has purposely enabled them based on a template for example?

Answer 1

Hi @crib bar

Thank you for posting your query on Microsoft Q&A!

Any policies in report-only mode will not impact users, this mode is to determine the impact of a Conditional Access policy, you can review the sign-in logs and your "Usage & Insights" reports to see what the effect of the policy would have if enabled. - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-report-only

The Microsoft managed Conditional Access policies are default policies configured and if not explicitly disabled by an admin will be enabled automatically, they are designed to secure your environment if you have not already setup MFA etc.. we have details on those here - https://learn.microsoft.com/en-us/entra/identity/conditional-access/managed-policies

Let me know if you have any further queries and I would be happy to help.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.