Conditional Access, or how to stop playing security Whac-A-Mole

There is a peculiar sort of optimism in the way many organisations approach Conditional Access.

A risky sign in appears, so they create a policy. Another loophole pops up, so they patch that too. Before long, the whole thing resembles a deranged game of Whac-A-Mole, except the moles are identity threats and the consequences are rather less charming than a broken arcade machine.

This is precisely why the latest episode of Entra.Chat is worth a listen.

In this episode, our own MVP, Per-Torben Sørensen, sits down with Merill Fernando to dissect what it actually takes to build Conditional Access policies that are genuinely resilient, not merely decorative.

Because let us be honest, there is a world of difference between “we followed the Microsoft documentation” and “this will survive contact with real users”.

Per-Torben has never been one for blind faith in templates. He works in the far less glamorous world called reality, where environments are messy, exceptions multiply like rabbits, and someone has inevitably granted Global Admin rights to a person who absolutely should not have them.

In the episode, they tackle:

The firewall approach
Should you block everything by default and only allow specific exceptions? It sounds severe, but then so is ransomware.

Who protects the break-glass accounts from the Global Admins?
A delightful little paradox, until your emergency accounts become the easiest way into the kingdom. The discussion covers how Restricted Management Administrative Units can keep even privileged admins from getting too adventurous.

Why Microsoft’s persona templates may not fit your world
The official templates are all very impressive if you happen to be running a multinational enterprise with a dedicated identity team and several spare architects in the cupboard. For everyone else, some scaling down is required.

Conditional Access is one of those areas where guesswork is often dressed up as strategy. This episode is an excellent reminder that security architecture should ideally involve less guesswork and fewer panic edits on a Friday afternoon.

Listen to the full episode here:
Bullet-Proof Conditional Access with Per-Torben Sørensen

If your Conditional Access design currently relies on crossed fingers and institutional hope, this may be the intervention it needs.