We put together a list of the Conditional Access policies everyone should have, no matter the size of their organization. We see these as the bare minimum our clients should implement in their own environments, as well as their clients.
Here are the top 10 Conditional Access policies you need to have
Require multifactor authentication for ALL users Adds an extra layer of security across the internal organization
Require multifactor authentication for ALL external users Adds an extra layer of security for any guest user accessing the company network
Enable phishing-resistant multifactor authentication for admin users These accounts are frequent targets for hackers, and this adds security to these accounts to make sure they aren’t compromised
Require multifactor authentication for registering security info Ensures that only verified and legitimate account owners have the ability to modify account settings such as changing passwords or MFA devices
Block unknown platforms/require compliant devices Ensures that only verified and trusted devices are used to access company resources
Block access from non-trusted locations Ensures that users can only access company resources from trusted locations within the company network
Block legacy authentication Prevents legacy protocols such as IMAP, POP, and SMTP from being used that do not support MFA
Session lifetime on both managed and unmanaged devices Ensures that users will have to re-authenticate after a certain period which reduces the window of risk of unauthorized access
Quick tip: Set the session lifetime LOWER for unmanaged devices
Require access to sensitive applications Ensures only the necessary users or groups can access certain cloud applications that may have sensitive information
Require App Protection Policy for mobile applications Ensures company data is secure on mobile devices