Most tenants have dozens of app registrations with long-lived secrets, no Conditional Access coverage, and zero monitoring. This article covers the full hardening path: credential inventory via Graph, migration from secrets to certificates to workload identity federation (with a decision table by scenario), Conditional Access for service principals, ID Protection risk detections, governance lifecycle, the March 2026 service-principal-less authentication deadline, common hardening mistakes, an SMB quick-start priority list, and an auditor evidence checklist.

Part 4 and closing chapter of the Conditional Access baseline series. The disciplined rollout cadence for moving all eight policies from Report-only to Enabled without incidents — pre-flight checks, Day 0 deployment, the seven-day review ritual, a worked What If scenario, a compact KQL triage set, the communication templates that make users feel informed instead of ambushed, and the specific failure patterns that only show up once you hit Enabled.

Part 3 of the Conditional Access baseline series. Every baseline policy walked end to end: the exact UI path, precise include/exclude scope, grant vs session choice with the real trade-offs, the common false positives and how to triage them in the sign-in logs, and the rollback pattern for each one — plus a Graph PowerShell appendix and two KQL queries that cover 80% of Report-only triage.

Before deploying a single Conditional Access policy, three things have to be in place: two break-glass accounts with FIDO2 keys, a clean exclusion group pattern, and sign-in logs wired to alerts. Part 2 of the series — the foundations that stop a misconfigured policy from becoming a business-hours incident.

The opinionated Conditional Access baseline I deploy on every SMB Microsoft 365 tenant in 2026 — 8 policies split into a core and extended set, report-only rollout, break-glass done right, and the mistakes that lock admins out.

Microsoft Entra ID passkey profiles reached GA in 2026, and tenants with FIDO2 already enabled may have been migrated automatically. This article explains what changed, how device-bound and synced passkeys differ, and the key settings to review now.