Skip to content
Jussi Metso
Jussi Metso

It’s all about The Cloud and The Security

  • Posts
  • About the blog
  • Activity
  • Connect!
  • Privacy Policy
Jussi Metso

It’s all about The Cloud and The Security

Conditional access security diagram with identity, device, location inputs leading to allow or block decisions, and MFA.
July 13, 2026July 13, 2026

Conditional Access (CA) Policy templates

Table of Contents

CA policy templates in Admin portal

I noticed lately when I was setting up an empty M365 tenant via admin.microsoft.com that there are under Setup > Sign in and Security a section called Deploy Conditional Access (CA) Policy templates  which description says: “The Deploy Conditional Access Policies guide provides customers who have the Microsoft Entra ID P1 or P2 license with customizable Conditional Access (CA) templates that include the most common and least intrusive security standards in the Zero Trust, secure foundation, remote work, protect administrator, and emerging threat scenarios. Customers with P2 license can also use risk-based CA policies.”

So there are different template categories to use if you have no idea of how to build CA policies. Very nice indeed.

Admin portal setup with CA templates

Now if you press the link the CA policy section opens

review CA policy guide
Click image to enlarge

portal opens the review guide page and when you press the button the portal opens the wizard for deploying CA templates by selected categories.

Click image to enlarge

Template wizard suggests you before the start to create couple of emergency accounts just to make sure don’t lock yourself out from the Entra organization. That would be awful.

That emergency account is placed as excluded identity when configuring those CA policies.

Existing CA policies (if any)

The next part is where you can review your current CA policies if there are any.  The green dot above tells that I have existing CA policies in my tenant. I can review them by pressing that red lined button

Click image to enlarge

In review panel you can set the status of existing policies if needed: On-Off-Report only.

Template categories

Next you can choose from template categories. 

There are five categories:

  • Secure Foundation
  • Zero Trust
  • Remote Work
  • Protect Administrator
  • Emerging Threats

If you press the Review category definitions button the panel opens to the right and shows what each category is included.

Foe example if you choose Zero Trust is shows like this:

Click image to enlarge

You can have 14 individual conditional access template policies just for using the wizard. And now if you press the blue NEXT button in lower page you can actually choose what you want to deploy to your Entra ID and select the status: On-Off- Report Only.

NOTE. Some of the policies will need Entra ID P2 license. It it mentioned in brackets.

If you are happy with your selections press NEXT and you need to choose the multifactor authentication methods for your organization:

NOTE. Low security methods are not recommended to use because known vulnerabilities.

You can leave the pre-selected methods or add new ones for example FIDO2 keys.

Otherwise press NEXT for the Review page:

Finally there’s a SAVE CONFIGURATION button in lower page. Pressing that those CA policies are then created and are seen for example in Entra ID Conditional Access page or you can also use the same CA template wizard and look for the current policies.

Naming convention for CA policies

Now when you have created the CA policies with the wizard you need to review them and maybe name them better using the naming convention made by my friend Valtteri Aho.

Here’s the link for Valtteri Aho’s blog: How about them Conditional Access Policies! Part 1 – Naming convention – Wallo Blog

Look for his blog about this but here’s a short example:

CAG001: All require compliant device for All users when Browser v1.0

@copyright Valtteri Aho

Conclusion

It’s good that Microsoft have brought customers a helping hand to create these conditional access policies. These help a lot a of Identity and Access management in Entra ID and enhances the tenant security.

Try and use. Of course you need to validate and edit those later but it speeds up the tenant configuration because there a lot to do.

Picture of Jussi Metso
Jussi Metso

Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Share on Social Media
xfacebooklinkedinwhatsapp

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

entraid #cloudsecurityentraid

Post navigation

Previous post

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Link to my MVP profile:

Join our Security User Group:

Subscribe my blog to get updates!

Join 42 other subscribers

Recent Posts

  • Conditional Access (CA) Policy templates
  • Enabling Cloud Security in Defender portal
  • Red Tenant intro
  • Understanding Microsoft Zero Trust Assessment Tool
  • Book review of Microsoft Security Copilot for Security Operations

Top posts:

Defender for Cloud – Part 10: Cloud Workload protection (CWP)
NextGen Defender for Cloud: Phase 1 - public preview
Microsoft Sentinel Data lake (preview)
Defender for Cloud - Part 6: Attack Path Analysis
Malware automated remediation in Defender for Storage

Categories

Tags

#architecture #azure #bookreview #cloudsecurity #defenderforcloud #defenderforstorage #defenderxdr #entraid #security #governance #management #malwarescan #mdcseries #securitycopilot #sentinel #siem #soc entraid

Archives

Visits on my site

24,725 hits

©2022-2026 Jussi Metso. All rights reserved.