Conditional Access: Block access

For organizations with a conservative cloud migration approach, the block all policy is an option that can be used.

Caution

Misconfiguration of a block policy can lead to organizations being locked out.

Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as Conditional Access report-only mode and the What If tool in Conditional Access when making changes.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

• Emergency access or break-glass accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
  • More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
• Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
  • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.

Create a Conditional Access policy

The following steps will help create Conditional Access policies to block access to all apps except for Office 365 if users aren't on a trusted network. These policies are put in to Report-only mode to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policies apply as they intend, they can switch them to On.

The first policy blocks access to all apps except for Microsoft 365 applications if not on a trusted location.

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.
   1. Under Include, select All users.
   2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
6. Under Target resources > Cloud apps, select the following options:
   1. Under Include, select All cloud apps.
   2. Under Exclude, select Office 365, select Select.
7. Under Conditions:
   1. Under Conditions > Location.
      1. Set Configure to Yes
      2. Under Include, select Any location.
      3. Under Exclude, select All trusted locations.
   2. Under Client apps, set Configure to Yes, and select Done.
8. Under Access controls > Grant, select Block access, then select Select.
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

A second policy is created below to require multifactor authentication or a compliant device for users of Microsoft 365.

1. Select Create new policy.
2. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
3. Under Assignments, select Users or workload identities.
   1. Under Include, select All users.
   2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
4. Under Target resources > Cloud apps > Include > Select apps, choose Office 365, and select Select.
5. Under Access controls > Grant, select Grant access.
   1. Select Require multifactor authentication and Require device to be marked as compliant select Select.
   2. Ensure Require one of the selected controls is selected.
   3. Select Select.
6. Confirm your settings and set Enable policy to Report-only.
7. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Note

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Next steps

Conditional Access templates

Determine effect using Conditional Access report-only mode

Use report-only mode for Conditional Access to determine the results of new policy decisions.