I’ve intentionally held off on covering this topic because Conditional Access policies are nearly impossible to standardize. Every organization’s environment, risk tolerance, and goals are different, so trying to define a “one-size-fits-all” approach never really works.
Even the term baseline tends to cause confusion. What starts out as a flexible reference point often gets treated like a strict rulebook, even though that’s rarely what the creators intended.
With that in mind, this isn’t a baseline or an official recommendation. It’s simply a look at the policies I use in practice — take what fits, leave what doesn’t.
<aside> 💡
Apply broadly, exclude narrowly.
</aside>
If you assign to static groups, you’ve made yourself a static problem. Even if it’s a dynamic group, there might be times where for whatever reason a user isn’t quite fitting the rule, and it may as well have been an “all users” assignment from the start anyway.
<aside> 📌
Note: Where specific property types aren't configured, that means it will apply to everything.
In "MFA all users all resources", I'm not configuring any network or conditions. It simply means it applies to all users regardless of other possible login routes.
</aside>
<aside> ➡️
Click “OPEN” on each policy to view details
</aside>