I've intentionally held off on covering this topic because Conditional Access policies are nearly impossible to standardize. Every organization's environment, risk tolerance, and goals are different, so trying to define a "one-size-fits-all" approach never really works.

Even the term baseline tends to cause confusion. What starts out as a flexible reference point often gets treated like a strict rulebook, even though that's rarely what the creators intended.

With that in mind, this isn't a baseline or an official recommendation. It's simply a look at the policies I use in practice. Take what fits, leave what doesn't.

Assignment philosophy

Apply broadly, exclude narrowly.

If you assign to static groups, you've made yourself a static problem. Even if it's a dynamic group, there might be times where for whatever reason a user isn't quite fitting the rule, and it may as well have been an "all users" assignment from the start anyway.

Note: Where specific property types aren't configured, that means it will apply to everything. In "MFA all users all resources", I'm not configuring any network or conditions. It simply means it applies to all users regardless of other possible login routes.

Policies I use

More detail on each individual policy will be posted as a follow-up. In the meantime, the short list below is the shape of what I recommend starting from:

  • CA01 - MFA all users all resources. Require MFA for every sign-in, with narrow service-account exclusions only.
  • Block legacy authentication. Kill basic auth everywhere. No exceptions worth making in 2025.
  • Require compliant or hybrid-joined device for managed apps. Keep corporate data on trusted endpoints.
  • Require MFA for admins (always). A second layer even when broader MFA is weakened by exclusions.
  • Risky sign-in and risky user policies. Let Identity Protection escalate instead of blocking by default.
  • Session controls for web. Sign-in frequency and persistent browser limits for high-value apps.

A note on exclusions

Every policy needs a break-glass path. Maintain at least two cloud-only Global Admin accounts, excluded from MFA and location policies, with long random passwords stored in a vault and alerts on sign-in. Test that access quarterly. A policy you can't safely undo is a policy that will eventually lock you out at the worst possible time.