Apply Conditional Access policies to the Microsoft traffic profile

With a dedicated traffic forwarding profile for your Microsoft traffic, you can apply Conditional Access policies to Microsoft traffic. With Conditional Access, you can require multifactor authentication and device compliance for accessing Microsoft resources.

This article describes how to apply Conditional Access policies to your Microsoft traffic forwarding profile.

Prerequisites

• Administrators who interact with Global Secure Access features must have one or more of the following role assignments depending on the tasks they're performing.
  • The Global Secure Access Administrator role role to manage the Global Secure Access features.
  • The Conditional Access Administrator role to create and interact with Conditional Access policies.
• The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
• To use the Microsoft traffic forwarding profile, a Microsoft 365 E3 license is recommended.

Create a Conditional Access policy targeting the Microsoft traffic profile

The following example policy targets all users except for your break-glass accounts and guest/external users, requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device when accessing Microsoft traffic.

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Identity > Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.
   1. Under Include, select All users.
   2. Under Exclude:
      1. Select Users and groups and choose your organization's emergency access or break-glass accounts.
      2. Select Guest or external users and select all checkboxes.
6. Under Target resources > Global Secure Access*.
   1. Choose Microsoft traffic.
7. Under Access controls > Grant.
   1. Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device
   2. For multiple controls select Require one of the selected controls.
   3. Select Select.

After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

• Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
  • More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
• Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
  • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

Next steps

The next step for getting started with Microsoft Entra Internet Access is to review the Global Secure Access logs.

For more information about traffic forwarding, see the following articles:

• Learn about traffic forwarding profiles
• Manage the Microsoft traffic profile