Apply Conditional Access policies to the Microsoft 365 traffic profile

With a devoted traffic forwarding profile for all your Microsoft 365 traffic, you can apply Conditional Access policies to all of your Microsoft 365 traffic. With Conditional Access, you can require multifactor authentication and device compliance for accessing Microsoft 365 resources.

This article describes how to apply Conditional Access policies to your Microsoft 365 traffic forwarding profile.


Create a Conditional Access policy targeting the Microsoft 365 traffic profile

The following example policy targets all users except for your break-glass accounts and guest/external users, requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device when accessing Microsoft 365 traffic.

Screenshot showing a Conditional Access policy targeting a traffic profile.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Identity > Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude:
      1. Select Users and groups and choose your organization's emergency access or break-glass accounts.
      2. Select Guest or external users and select all checkboxes.
  6. Under Target resources > Network Access (Preview)*.
    1. Choose Microsoft 365 traffic.
  7. Under Access controls > Grant.
    1. Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device
    2. For multiple controls select Require one of the selected controls.
    3. Select Select.

After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
  • Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.

Next steps

The next step for getting started with Microsoft Entra Internet Access is to review the Global Secure Access logs.

For more information about traffic forwarding, see the following articles: