Conditional Access baseline for small and mid-sized Microsoft 365 tenants in 2026

IdentityMicrosoft 365Cloud SecurityMicrosoft Entra IDSecurityIdentity GovernanceSecurity & ComplianceAzure & Entra ID
Written By Tiago Carvalho
Conditional Access Baseline Series  ·  Part 1 of 4

Entra ID  ·  Conditional Access  ·  Identity  ·  2026

Series overview — 4 articles
Part 1 · Now
Baseline Overview & The 8 Policies
Part 2 · Next
Foundations: Break-Glass, Exclusions, Logging
Part 3
The 8 policies — deep implementation guide
Part 4
Report-Only Rollout & Troubleshooting

Security Defaults get most small tenants to "MFA is on for everyone", and that is a good starting point. But they do not scale. The moment you have a service account that cannot MFA, a travelling exec you need to exclude, or a third-party SSO app you want to protect differently, Security Defaults run out. This article is the opinionated Conditional Access baseline I deploy on every SMB Microsoft 365 tenant in 2026 — 8 policies, the order I roll them out in report-only, how I handle break-glass accounts, and the three mistakes that lock admins out of their own tenant.

🎯
Designed for Microsoft 365 Business Premium or an equivalent Entra ID P1 tenant, with Intune available where device compliance or app protection policies are referenced. Conditional Access itself is a P1/P2 feature; device compliance and app protection live in the broader management stack. Where P2 (Identity Protection, risk-based policies) helps, it is called out as an optional upgrade, not a prerequisite
🚫
Every policy ships in Report-only first. No exceptions, including break-glass verification. Report-only gives you seven days of real sign-in data before anyone is blocked
🔑
Two break-glass accounts, excluded from every policy. FIDO2 keys, not SMS. Permanent Global Admin, not PIM. Alerting on every sign-in
📋
Use named groups for exclusions, not individual users. CA-Exclusions-BreakGlass, CA-Exclusions-ServiceAccounts, CA-Exclusions-Travel. Policies stay clean, audits stay defensible
⚠️
Move from Security Defaults to Conditional Access in a controlled handover. Avoid overlap, and avoid leaving the tenant without either protection model while you switch

The Conditional Access design space is large, and most SMB tenants never touch more than five percent of it. That is fine. You do not need every knob. You need a small, well-chosen set of policies that cover the actual threats a 50–500 seat company faces: credential phishing, password spray from unexpected geographies, legacy auth endpoints the attackers probe every day, unmanaged mobile devices leaking corporate mail, and admin accounts that sign in the same way as a sales rep.

Eight policies cover that floor. Less than eight and you have gaps. More than eight and the next three articles' worth of policies are useful but diminishing returns at SMB scale — better addressed as targeted follow-ups ("block unmanaged Windows devices for HR apps", "require session persistence off for finance") than as baseline.

The policies here are designed to be deployed in order, in report-only, with named exclusion groups already in place. Skip steps and you will lock someone out. I am not exaggerating that: in twelve years of running Conditional Access projects, I have never seen a tenant get locked out from following the order below, and I have seen dozens get locked out from not following it.

🛑
Do not deploy a single Conditional Access policy until your break-glass accounts exist, have FIDO2 keys registered, are in an exclusion group, and you have verified sign-in using the FIDO2 key at least twice. Every scenario in this article assumes those accounts are ready. The one section you must read before everything else is Break-glass accounts.

Why this matters in 2026

Three things have shifted in the identity landscape over the last eighteen months that change how the SMB baseline should look.

The first is that MFA bypass via phishing-resistant-to-push-fatigue attacks is now routine. Attackers spin up fake Microsoft login pages using adversary-in-the-middle proxies, harvest the session cookie post-MFA, and replay it. SMS and push-approval MFA do not stop this. Only phishing-resistant methods — FIDO2 security keys, passkeys, Windows Hello for Business — actually do. Your baseline has to reflect that, at least for administrators.

The second is that Security Defaults are a floor, not a destination. Microsoft has been clear about this for years, but the 2026 gap is sharper: Security Defaults cover eight scenarios, do not support granular exclusions, and cannot be tuned. Any tenant with legitimate service accounts, mixed-device realities, guest access, or travel patterns outgrows them fast. The move from Security Defaults to Conditional Access is the moment where most SMBs either harden correctly or wire themselves a string of problems.

The third is that Entra ID P1 (included in Business Premium) is enough for a defensible Conditional Access baseline. You do not need P2 to build the identity and access layer — authentication strengths, device filters, named locations, sign-in frequency, and persistent browser session controls all sit inside P1. Controls such as device compliance and app protection depend on the broader management stack, typically Intune (also included in Business Premium). Identity Protection's risk-based policies are a worthwhile upgrade when budget allows, but they are an upgrade, not a prerequisite.

The four principles

Before the policies themselves, four decisions that shape how every policy in this baseline is built. Violate any of these and the policy stops being safe to deploy.

Principle 1
Report-only before On
Every policy is created in Report-only mode, left there for at least seven days, and reviewed via sign-in logs before being switched to On. Never deploy a policy directly enforced, even one that looks obvious.
Principle 2
Exclude break-glass, nothing else by default
The default exclusion on every policy is exactly one group: CA-Exclusions-BreakGlass. Any other exclusion gets its own named group, documented reason, and review date.
Principle 3
Prefer groups over "All users" for SMB rollouts
Microsoft's documented examples often use All users with the emergency-access exclusion, which is perfectly valid. For SMB rollouts I prefer group-based assignments (CA-InScope-AllUsers) because they make phased rollout, exceptions, and rollback easier — you adjust membership instead of editing the policy. It is a design pattern, not a universal rule.
Principle 4
Authentication strengths over "Require MFA"
Where possible, use Authentication strength controls instead of the legacy "Require MFA" toggle. They let you specify which factors count (phishing-resistant, MFA, passwordless), and they give you a migration path as FIDO2/passkey coverage grows.

The eight policies

Think of the set as two layers. Policies 1–6 are the core baseline — identity and access controls almost every SMB tenant should run. Policies 7–8 are the extended baseline — higher value once the core is stable, but they lean on Intune app protection and device state logic that can generate more troubleshooting in a young tenant. Deploy in the order shown; each depends on the ones before it being stable.

Core baseline · Policies 1–6

Policy 1
Block legacy authentication
Assignment: All users, except break-glass. Apps: All cloud apps. Conditions: Client apps → Exchange ActiveSync clients + Other clients. Grant: Block access. Legacy auth cannot honour MFA. Any legitimate sender still using SMTP AUTH or IMAP needs to migrate, not be excluded — Microsoft is retiring Basic Auth in Exchange Online anyway.
Policy 2
Require MFA for all users
Assignment: CA-InScope-AllUsers, except break-glass. Apps: All cloud apps. Grant: Require authentication strength → MFA. This replaces the Security Defaults MFA story with something you can actually tune. Use authentication strengths, not the legacy "Require MFA" checkbox.
Policy 3
Phishing-resistant MFA for admins
Assignment: Directory roles → Global Admin, Privileged Role Admin, Security Admin, Exchange Admin, SharePoint Admin, User Admin, and the other 9 privileged roles Microsoft highlights. Grant: Require authentication strength → Phishing-resistant MFA. Every admin enrols a FIDO2 key or passkey before this goes enforced.
Policy 4
Compliant device for admin portals
Assignment: Same admin roles as Policy 3. Apps: Microsoft Admin Portals (filter). Grant: Require device to be marked as compliant OR Hybrid Azure AD joined. Admins only reach admin surfaces from known, Intune-managed machines. Requires Intune (included in Business Premium).
Policy 5
Require MFA for guests
Assignment: Guest and external users → All guest and external users. Apps: All cloud apps. Grant: Require authentication strength → MFA. You do not control guests' home-tenant hygiene, so assert it at your door. If your guests have not registered MFA, the first sign-in will prompt them to.
Policy 6
Block sign-ins from unexpected countries
Assignment: CA-InScope-AllUsers, except break-glass and CA-Exclusions-Travel. Apps: All cloud apps. Conditions: Location → include Any location, exclude your named "Allowed countries" location. Grant: Block access. Kills most credential-stuffing traffic before MFA even matters.

Extended baseline · Policies 7–8

These two add meaningful mobile and browser hardening, but they depend on Intune (app protection) and device state logic. Roll them out after the core is stable — and be ready for more report-only triage than Policies 1–6 generated.

Policy 7
App protection + approved apps on mobile
Assignment: CA-InScope-AllUsers, except break-glass. Apps: Exchange Online, SharePoint, Teams, OneDrive. Conditions: Device platforms → iOS, Android. Grant: Require approved client app AND require app protection policy. Keeps corporate mail inside managed Outlook, not bleeding into the native iOS Mail app.
Policy 8
Session controls for unmanaged browsers
Assignment: CA-InScope-AllUsers, except break-glass. Apps: All cloud apps. Conditions: Client apps → Browser; Device state (preview) → device is not compliant. Session: Sign-in frequency 8 hours, persistent browser off. Limits the window a stolen session cookie can be replayed in.

A light-touch option for assigning policies 2–8 consistently: create each policy in the portal, then export the tenant's current CA policies with Graph PowerShell for version control and documentation. This is the only snippet you really need on day one:

Export all CA policies to JSON (Graph PowerShell) PowerShell 
# Requires the Microsoft.Graph.Identity.SignIns module
Connect-MgGraph -Scopes "Policy.Read.All","Directory.Read.All"

Get-MgIdentityConditionalAccessPolicy -All |
  ConvertTo-Json -Depth 15 |
  Out-File -FilePath ".\ca-policies-$(Get-Date -Format yyyyMMdd).json"

Run that after every policy change. You now have a dated snapshot of your Conditional Access posture that you can diff, commit to a private repo, or hand to an auditor. Same module (Microsoft.Graph.Identity.SignIns) also supports New-MgIdentityConditionalAccessPolicy if you want to version your baseline as code, but for an SMB baseline, portal creation plus exported JSON documentation is plenty.

📖
Deep dive → The cards above are the overview. Part 3 — The eight policies, deep implementation guide goes significantly further for each policy: exact UI path, precise include/exclude scope, grant vs session choice with trade-offs, common false positives and how to triage them in the sign-in logs, and the rollback pattern if something breaks after enforcement.

Break-glass accounts

If you do nothing else from this article, do this section. Break-glass accounts are the only reason a misconfigured Conditional Access policy does not turn into a business-hours incident.

The shape of a defensible break-glass setup: two cloud-only accounts on .onmicrosoft.com, FIDO2 keys stored in two physically separate locations, permanent Global Admin (not PIM), excluded from every policy via a named group CA-Exclusions-BreakGlass, with sign-in alerting on both accounts and a one-page runbook tested twice a year. Not SMS, not authenticator push, not email — only phishing-resistant factors survive the exact emergency these accounts exist for.

📖
Deep dive → Part 2 — Foundations: break-glass, exclusions, logging walks through each step in detail: key selection, why not PIM, exclusion group pattern, Log Analytics alerting, documentation, and the twice-a-year test procedure.

Report-only rollout

The order the eight policies go live in is not cosmetic — each one depends on the previous being stable. Rush it and you will catch either a legacy service account or a roaming exec, and the first time you notice will be a ticket.

The pattern for each policy, in order: create in Report-only → wait seven days → review sign-in logs filtered by that policy → use What If for the high-value scenarios (travelling exec, unmanaged BYOD, CEO's phone, the service account) → address exclusions with named groups and documented reasons → switch to On → monitor for 14 days before moving to the next. For an eight-policy baseline, the realistic calendar end-to-end is six to eight weeks, depending on how clean the tenant is going in. Rush it and you create incidents; drag it and you leave the tenant with half a baseline for months. Mid-pace is correct.

📖
Deep dive → Part 4 — Report-only rollout & troubleshooting covers how to read sign-in logs (the filter combinations that actually work), the What If tool in depth, service account migration paths instead of exclusions, hybrid sync account handling, third-party SSO app surprises, and the most common failure patterns with their fixes.

SMB-specific gotchas

These are the patterns that turn a clean baseline into a two-week incident. Seen them all, more than once.

Gotcha
Service accounts treated as users
Shared mailboxes, printer scan-to-mail accounts, backup-report service accounts. They cannot MFA. The fix is not to exclude them individually — the fix is to migrate off SMTP AUTH to OAuth + app passwords where absolutely necessary, or to disable user sign-in on the account entirely.
Gotcha
Hybrid identity sync account
The Entra Connect / Cloud Sync service account has a specific sign-in pattern that some overly-aggressive CA policies block. Microsoft documents the correct exclusion pattern — read it before your directory sync stops working on a Friday afternoon.
Gotcha
Third-party SSO apps
Atlassian, Salesforce, HubSpot — all support Entra ID SSO, and all behave slightly differently under CA. Test each one in report-only with a pilot user before enabling. Pay particular attention to SAML flows that pre-authenticate on the app side.
Gotcha
Guest flow assumed to work like internal
Guests live in their home tenant; your MFA policy asserts at your tenant. If a guest has not registered MFA in their home tenant, your Policy 5 triggers the registration flow. Surprise exec demo that goes sideways is avoidable with one email to the guest's admin ahead of time.

One more that deserves its own paragraph: do not leave Security Defaults on at the same time as Conditional Access. Microsoft forces you to choose one or the other, but I have seen tenants accidentally re-enable Security Defaults during a managed service handover and end up in a confused state where MFA prompts behave inconsistently. Disable Security Defaults after your Policy 2 (Require MFA for all users) is enforced and stable — never before, never both.

Rollout checklist

  • Create two break-glass accounts on .onmicrosoft.com, FIDO2 registered, permanent Global Admin Test sign-in with FIDO2 at least twice before deploying any CA policy.
  • Create the named groups: CA-Exclusions-BreakGlass, CA-InScope-AllUsers, any travel/service exclusions Every policy references these groups, not individual users.
  • Enable sign-in log and audit log streaming to Log Analytics Minimum 30-day retention, alerts on break-glass sign-in.
  • Deploy all eight policies in Report-only, in order, leaving 7+ days between each Use the What If tool on each for the four or five highest-risk user scenarios.
  • Register at least one FIDO2 key or passkey per admin before switching Policy 3 to On Without this, Policy 3 locks admins out at the exact moment you need them.
  • Publish Intune app protection policies before flipping Policy 7 to On Outlook, Teams, OneDrive, SharePoint MAM policies must exist first or mobile sign-in fails.
  • Switch Security Defaults off after Policy 2 is enforced and stable Avoid running both at once, and avoid a window where neither is active.
  • Export the full CA policy set to JSON with Graph PowerShell Store dated snapshots. Re-export after every change.
  • Document policy set, owners, review cadence, and exclusion review date One-page runbook. Reviewed quarterly.
ℹ️
This baseline is a floor, not a ceiling. Once it is stable, good next-step policies are risk-based sign-in and user risk (if you add Entra P2), session controls for finance/HR apps specifically, and device-based restrictions for sensitive SharePoint sites. But those are satellite policies for targeted risks — the eight here cover the SMB baseline.
Next in the series  ·  Part 2 of 4
Foundations: break-glass, exclusions, and the logging you want
Before deploying a single policy: two break-glass accounts with FIDO2 keys, the exclusion group pattern that keeps the baseline defensible, and the sign-in and audit logs wired to alerts so a misconfigured policy never becomes a business-hours incident.
Coming next →
Need a hand
Want this baseline rolled against your tenant without locking anyone out?
If you want someone to deploy this Conditional Access baseline in report-only, validate exclusions against your real sign-in data, and stage the enforcement rollout — that is part of what an Entra ID hardening review covers. Get in touch.
Sources
References used
Tiago Carvalho
Previous

Conditional Access foundations: break-glass accounts, exclusion groups, and the logging you want before any policy
Next

Your Entra ID Passkeys May Have Changed Automatically: What to Check After the 2026 Migration