{
	"id": "f69d0c7c-b3fc-46f6-bf84-29f5f91e0516",
	"created_at": "2026-04-06T00:15:11.820415Z",
	"updated_at": "2026-04-10T03:20:06.321073Z",
	"deleted_at": null,
	"sha1_hash": "44dd502070fdfd69d046a38d494be128b28b39d4",
	"title": "Conditional Access Templates: Simplify Security - Microsoft Entra ID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 479462,
	"plain_text": "Conditional Access Templates: Simplify Security - Microsoft Entra\r\nID\r\nBy kenwith\r\nArchived: 2026-04-05 15:04:59 UTC\r\nIn this article\r\n1. Overview\r\n2. Template categories\r\n3. Other common policies\r\n4. User exclusions\r\n5. Next steps\r\nOverview\r\nConditional Access templates provide a convenient method to deploy new policies aligned with Microsoft\r\nrecommendations. These templates are designed to provide maximum protection aligned with commonly used\r\npolicies across various customer types and locations.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common\r\nPage 1 of 4\n\nTemplate categories\r\nConditional Access policy templates are organized into the following categories:\r\nFind these templates in the Microsoft Entra admin center \u003e Entra ID \u003e Conditional Access \u003e Create new policy\r\nfrom templates. Select Show more to view all policy templates in each category.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common\r\nPage 2 of 4\n\nImportant\r\nConditional Access template policies targeting users exclude only the user creating the policy from the template. If\r\nyour organization needs to exclude other accounts, modify the policy after it's created. You can find these policies\r\nin the Microsoft Entra admin center \u003e Entra ID \u003e Conditional Access \u003e Policies. Select a policy to open the\r\neditor and modify the excluded users and groups to select accounts you want to exclude.\r\nBy default, each policy is created in report-only mode. Test and monitor usage to ensure the intended result before\r\nturning on each policy.\r\nOrganizations can select individual policy templates and:\r\nView a summary of the policy settings.\r\nEdit, to customize based on organizational needs.\r\nExport the JSON definition for use in programmatic workflows.\r\nThese JSON definitions can be edited and then imported on the main Conditional Access policies\r\npage using the Upload policy file option.\r\nOther common policies\r\nRequire multifactor authentication for device registration\r\nBlock access by location\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common\r\nPage 3 of 4\n\nBlock access except specific apps\r\nUser exclusions\r\nConditional Access policies are powerful tools. We recommend excluding the following accounts from your\r\npolicies:\r\nEmergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the\r\nunlikely scenario where all administrators are locked out, your emergency access administrative account\r\ncan be used to sign in and recover access.\r\nMore information can be found in the article, Manage emergency access accounts in Microsoft\r\nEntra ID.\r\nService accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service\r\naccounts are noninteractive accounts that aren't tied to any specific user. They're typically used by backend\r\nservices to allow programmatic access to applications, but they're also used to sign in to systems for\r\nadministrative purposes. Calls made by service principals aren't blocked by Conditional Access policies\r\nscoped to users. Use Conditional Access for workload identities to define policies that target service\r\nprincipals.\r\nIf your organization uses these accounts in scripts or code, replace them with managed identities.\r\nNext steps\r\nSimulate sign in behavior using the Conditional Access What If tool.\r\nUse report-only mode for Conditional Access to determine the results of new policy decisions.\r\nAdditional resources\r\nTraining\r\nLast updated on 03/24/2026\r\nSource: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
	],
	"report_names": [
		"concept-conditional-access-policy-common"
	],
	"threat_actors": [],
	"ts_created_at": 1775434511,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44dd502070fdfd69d046a38d494be128b28b39d4.pdf",
		"text": "https://archive.orkl.eu/44dd502070fdfd69d046a38d494be128b28b39d4.txt",
		"img": "https://archive.orkl.eu/44dd502070fdfd69d046a38d494be128b28b39d4.jpg"
	}
}