Why can't "Microsoft-Managed" CA policies be deleted even after turning them off?

Question

Why can't "Microsoft-Managed" CA policies be deleted even after turning them off?

Knut Sander Lien Blakkestad 20

Wy can't "Microsoft-Managed" CA policies be deleted after turning them off?

Sakshi Devkante 3,830 Reputation points Microsoft External Staff Moderator

2025-04-28T13:17:51.99+00:00

Hello Knut Sander Lien Blakkestad
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.
Knut Sander Lien Blakkestad 20 Reputation points

2025-04-29T05:56:41.68+00:00

Hi @Sakshi Devkante

Sorry for taking a while to respond. Your first comment clarifies things, but I still believe that deleting or at least removing these policies should be an option.

Hopefully it will become possible in the future, but until then I guess I'll have to deal with disabled policies filling up the CA overview.
Sakshi Devkante 3,830 Reputation points Microsoft External Staff Moderator

2025-04-29T09:21:49.42+00:00

Hello Knut Sander Lien Blakkestad

You're absolutely right to feel that way, many admins share the same feedback. From a usability and policy hygiene standpoint, having non-removable, disabled entries clutter the Conditional Access overview can be confusing.

Microsoft’s current approach leans heavily toward ensuring baseline security That said, feedback like yours does make a difference: Microsoft does listen via channels like the Azure Feedback Portal and UserVoice (where applicable), and they've occasionally adjusted features based on widespread demand. If Microsoft introduces more flexibility in this area in the future, I’ll be happy to help you update your environment accordingly.

If you feel this clarified your question Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this post.

Accepted answer

0 additional answers

Your answer

Sakshi Devkante 3,830 Reputation points Microsoft External Staff Moderator

2025-04-28T13:17:51.99+00:00

Hello Knut Sander Lien Blakkestad
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.
Knut Sander Lien Blakkestad 20 Reputation points

2025-04-29T05:56:41.68+00:00

Hi @Sakshi Devkante

Sorry for taking a while to respond. Your first comment clarifies things, but I still believe that deleting or at least removing these policies should be an option.

Hopefully it will become possible in the future, but until then I guess I'll have to deal with disabled policies filling up the CA overview.
Sakshi Devkante 3,830 Reputation points Microsoft External Staff Moderator

2025-04-29T09:21:49.42+00:00

Hello Knut Sander Lien Blakkestad

You're absolutely right to feel that way, many admins share the same feedback. From a usability and policy hygiene standpoint, having non-removable, disabled entries clutter the Conditional Access overview can be confusing.

Microsoft’s current approach leans heavily toward ensuring baseline security That said, feedback like yours does make a difference: Microsoft does listen via channels like the Azure Feedback Portal and UserVoice (where applicable), and they've occasionally adjusted features based on widespread demand. If Microsoft introduces more flexibility in this area in the future, I’ll be happy to help you update your environment accordingly.

If you feel this clarified your question Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this post.

Answer 1

Hello Knut Sander Lien Blakkestad

Even after you turn off Microsoft-managed Conditional Access (CA) policies, you can’t delete them because:

These policies are created and controlled by Microsoft to enforce essential security best practices like requiring MFA for admins or blocking legacy auth. Microsoft treats these as foundational, so instead of letting tenants delete them, it allows you to disable them if needed (though it’s not recommended unless you’ve replaced them with your own equivalent policies).

Entra ID, these policies are flagged as “Microsoft-Managed.” That flag prevents them from being deleted even by Global Admins. It’s sort of like a system file in Windows you can hide it or stop it from running but not delete it outright.

Regarding this it is mentioned in Microsoft public document: https://learn.microsoft.com/en-us/entra/identity/conditional-access/managed-policies

User's image

Microsoft’s current approach leans heavily toward ensuring baseline security That said, feedback like yours does make a difference: Microsoft does listen via channels like the Azure Feedback Portal and UserVoice (where applicable), and they've occasionally adjusted features based on widespread demand. If Microsoft introduces more flexibility in this area in the future, I’ll be happy to help you update your environment accordingly.

If you feel this clarified your question Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this Post.

Share via

Why can't "Microsoft-Managed" CA policies be deleted even after turning them off?

0 additional answers

Your answer