July 13, 2026July 13, 2026 Conditional Access (CA) Policy templates Table of Contents CA policy templates in Admin portal I noticed lately when I was setting up an empty M365 tenant via admin.microsoft.com that there are under Setup > Sign in and Security a section called Deploy Conditional Access (CA) Policy templates which description says: “The Deploy Conditional Access Policies guide provides customers who have the Microsoft Entra ID P1 or P2 license with customizable Conditional Access (CA) templates that include the most common and least intrusive security standards in the Zero Trust, secure foundation, remote work, protect administrator, and emerging threat scenarios. Customers with P2 license can also use risk-based CA policies.”So there are different template categories to use if you have no idea of how to build CA policies. Very nice indeed. Now if you press the link the CA policy section opens Click image to enlarge portal opens the review guide page and when you press the button the portal opens the wizard for deploying CA templates by selected categories. Click image to enlarge Template wizard suggests you before the start to create couple of emergency accounts just to make sure don’t lock yourself out from the Entra organization. That would be awful.That emergency account is placed as excluded identity when configuring those CA policies. Existing CA policies (if any) The next part is where you can review your current CA policies if there are any. The green dot above tells that I have existing CA policies in my tenant. I can review them by pressing that red lined button Click image to enlarge In review panel you can set the status of existing policies if needed: On-Off-Report only. Template categories Next you can choose from template categories. There are five categories:Secure FoundationZero TrustRemote WorkProtect AdministratorEmerging Threats If you press the Review category definitions button the panel opens to the right and shows what each category is included.Foe example if you choose Zero Trust is shows like this: Click image to enlarge You can have 14 individual conditional access template policies just for using the wizard. And now if you press the blue NEXT button in lower page you can actually choose what you want to deploy to your Entra ID and select the status: On-Off- Report Only.NOTE. Some of the policies will need Entra ID P2 license. It it mentioned in brackets. If you are happy with your selections press NEXT and you need to choose the multifactor authentication methods for your organization: NOTE. Low security methods are not recommended to use because known vulnerabilities.You can leave the pre-selected methods or add new ones for example FIDO2 keys.Otherwise press NEXT for the Review page: Finally there’s a SAVE CONFIGURATION button in lower page. Pressing that those CA policies are then created and are seen for example in Entra ID Conditional Access page or you can also use the same CA template wizard and look for the current policies. Naming convention for CA policies Now when you have created the CA policies with the wizard you need to review them and maybe name them better using the naming convention made by my friend Valtteri Aho.Here’s the link for Valtteri Aho’s blog: How about them Conditional Access Policies! Part 1 – Naming convention – Wallo BlogLook for his blog about this but here’s a short example:CAG001: All require compliant device for All users when Browser v1.0 @copyright Valtteri Aho Conclusion It’s good that Microsoft have brought customers a helping hand to create these conditional access policies. These help a lot a of Identity and Access management in Entra ID and enhances the tenant security.Try and use. Of course you need to validate and edit those later but it speeds up the tenant configuration because there a lot to do. Jussi Metso Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Mediaxfacebooklinkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe entraid #cloudsecurityentraid