Where the risk shows up

Conditional Access is reliable only when policies are understandable, tested and cleaned up regularly. Exceptions, legacy devices and administrative accounts are the usual weak spots where control concepts lose precision.

For projects, the key is to define baselines: MFA for privileged roles, separated admin identities, strong device signals and clear break-glass processes.

Checks worth doing

  • Model administrative access separately
  • Give exceptions an expiry date
  • Disable legacy authentication consistently
  • Test policies with pilot groups
  • Roll out changes in a documented and reversible way

What gets better

  • Admin and user access follow clear baselines instead of grown one-off rules.
  • Exceptions become visible and receive an expiry date.
  • Risk decisions can be explained through identity, device state and sign-in context.

Where it can hurt

  • Too many overlapping policies become hard to maintain quickly.
  • Break-glass accounts are dangerous when they exist but are not tested and monitored.
  • Old devices and legacy authentication delay rollouts when not identified early.

Checks before rollout

  1. Which policies apply to privileged roles?
  2. Which exceptions are permanent and why?
  3. Are break-glass accounts separated, protected and alerted?
  4. Which legacy sign-ins must disappear before enforcement?