Skip to content

Control 1.11: Conditional Access and Phishing-Resistant MFA - Portal Walkthrough

This playbook provides portal configuration guidance for Control 1.11.

Prerequisites

  • Microsoft Entra ID P1/P2 licenses assigned
  • Emergency access (break-glass) accounts configured and excluded from CA
  • Named locations defined for office networks
  • Authentication methods configured
  • Agent inventory available for policy targeting

Step 1: Access Conditional Access

Portal Path: Microsoft Entra admin center > Conditional Access

  1. Open Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access
  3. Review the Overview dashboard

Dashboard Review

Card Action
Agent Identities Monitor agent coverage
Policy Snapshot Track policy state (Enabled/Report-only/Off)
Users Address coverage gaps
Applications Ensure agent apps are protected

Step 2: Configure Named Locations

Portal Path: Protection > Conditional Access > Named locations

  1. Click + New location
  2. Configure corporate office locations:
  3. Name: Corporate Offices
  4. IP ranges: Add office IP ranges
  5. Mark as trusted location: Yes
  6. Click Create

Step 3: Configure Authentication Methods

Portal Path: Protection > Authentication methods > Policies

Method Zone 1 Zone 2 Zone 3
Passkey (FIDO2) Enable Enable Required
Microsoft Authenticator Enable Enable Limited
SMS Disable Disable Block
Certificate-based auth Enable Enable Required
  1. Navigate to Authentication methods > Policies
  2. Enable FIDO2/Passkey for enterprise users
  3. Disable SMS and Voice for Zone 2-3 users
  4. Enable Certificate-based authentication for enterprise

Step 4: Configure Authentication Strengths

Portal Path: Protection > Conditional Access > Authentication strengths

  1. Click + New authentication strength
  2. Create FSI-specific strength:
  3. Name: FSI-Phishing-Resistant
  4. Methods: FIDO2 security key, Certificate-based
  5. Click Create

Step 5: Create Conditional Access Policies

Portal Path: Protection > Conditional Access > Policies > + New policy

Policy 1: Baseline MFA for All Users

  1. Click + New policy
  2. Configure:
  3. Name: FSI-Baseline-All-Users-MFA
  4. Users: All users (exclude break-glass accounts)
  5. Cloud apps: All cloud apps
  6. Grant: Require MFA
  7. State: Enabled
  8. Click Create

Policy 2: Agent Creators - Phishing-Resistant MFA

  1. Click + New policy
  2. Configure:
  3. Name: FSI-Enterprise-Agent-Creators-PhishingResistantMFA
  4. Users: sg-enterprise-agent-creators (exclude break-glass)
  5. Cloud apps: Power Platform, Copilot Studio
  6. Grant: Require authentication strength (FSI-Phishing-Resistant)
  7. State: Report-only (test first)
  8. Click Create

Policy 3: High-Risk Sign-In Response

  1. Click + New policy
  2. Configure:
  3. Name: FSI-HighRisk-SignIn-Response
  4. Users: All users (exclude break-glass)
  5. Conditions: Sign-in risk = High
  6. Grant: Require MFA + Require password change
  7. State: Enabled
  8. Click Create

Step 6: Validate Break-Glass Exclusions

Portal Path: Protection > Conditional Access > Policies > What if

  1. Navigate to What if
  2. Select break-glass account
  3. Select all cloud apps
  4. Click What if
  5. Expected: No CA policies apply (or only intended controls)

Step 7: Configure Agent ID (Preview)

Portal Path: Agent ID (Preview)

Review Agent Overview

  1. Navigate to Agent ID > Overview
  2. Review agent metrics:
  3. Total agents
  4. Recently created
  5. Unmanaged (assign sponsors)
  6. Active agents

Configure Agent Collections

  1. Navigate to Agent collections
  2. Review predefined collections:
  3. Global: Visible to all identities
  4. Quarantined: Hidden from all (use for review)
  5. Create custom collections as needed

Assign Agent Sponsors

  1. Navigate to All agent identities
  2. For each Zone 2/3 agent:
  3. Select agent
  4. Assign human sponsor
  5. Document sponsorship

Step 8: Monitor Agent Sign-Ins

Portal Path: Agent ID > Sign-in logs

  1. Navigate to Sign-in logs
  2. Filter: Is Agent = Yes
  3. Review:
  4. Service principal sign-ins
  5. Non-interactive user sign-ins
  6. Configure alerts for anomalies

Back to Control 1.11 | PowerShell Setup | Verification Testing | Troubleshooting

Updated: January 2026 | Version: v1.2