Conditional Access Policies

How IdentityOps analyzes your Conditional Access policies, detects control gaps, and scores your tenant's security posture.

Applies to: ProModule: Conditional Access

Conditional Access analysis is available on the Pro plan and above. It requires the additional Intune and Policy read permissions described in Permissions Explained.

What gets analyzed

IdentityOps reads all Conditional Access policies from your Entra tenant via Microsoft Graph. For each policy, it evaluates the state (Enabled, Report-Only, Disabled), target conditions (users, groups, apps, platforms), and grant controls (MFA, device compliance, domain join).

The analysis runs pattern detectors across your full policy set to identify control gaps — scenarios where users, apps, or devices are not covered by the security controls you expect.

Health score

Your tenant receives a Conditional Access health score from 0 to 100 based on the findings detected. The score reflects the likelihood of breach from policy gaps, not the number of policies you have.

Range	Meaning
Good (70–100)	Strong posture. Core controls are in place and enforced. Low breach likelihood from policy gaps.
Fair (40–69)	Moderate gaps. Some controls are missing or in report-only mode. Review findings to reduce exposure.
Poor (0–39)	Significant gaps. Critical controls are missing or misconfigured. High likelihood of breach from policy weaknesses.

Coverage metrics

IdentityOps computes three key coverage metrics from your enforced policies. These give you a quick read on how well your Conditional Access policies protect your tenant.

MFA coverage: Percentage of enforced policies that require multi-factor authentication. Higher coverage means more sign-in scenarios are protected by MFA.

Device compliance: Percentage of enforced policies that require a compliant or domain-joined device. Protects against sign-ins from unmanaged endpoints.

Legacy auth blocking: Whether legacy authentication protocols (POP, IMAP, SMTP, ActiveSync) are blocked. Legacy auth bypasses modern security controls like MFA.

Common findings

IdentityOps runs eight pattern detectors against your policy set. Each finding includes a severity level, impact description, step-by-step remediation guidance, and expected outcome after the fix.

Finding	Severity	Description
MFA_GAP	critical	One or more user populations can sign in without MFA. This is the most common attack vector for account compromise.
LEGACY_AUTH_ALLOWED	critical	Legacy authentication protocols are not blocked. Attackers can bypass MFA entirely using older protocols.
NO_DEVICE_COMPLIANCE	warning	No policies require device compliance. Sign-ins from unmanaged or compromised devices are permitted.
GUEST_UNGOVERNED	warning	Guest/external users are not covered by Conditional Access policies. External identities may have unrestricted access.
STALE_REPORT_ONLY	warning	Policies have been in report-only mode for an extended period. They log violations but do not enforce controls.
BREAK_GLASS_GAP	warning	No emergency access (break-glass) accounts are excluded from policies. A lockout scenario could leave admins unable to recover access.
OVER_BROAD_SCOPE	info	A policy applies to all users or all cloud apps without targeting. Overly broad policies can cause unintended blocks or exemptions.
AUTOPILOT_DEADLOCK	critical	Conflicting policies create a deadlock where device enrollment requires compliance, but compliance requires enrollment. New devices cannot complete Autopilot.

Finding details

When you expand a finding card in the UI, you see four components:

Impact: What this gap means for your tenant’s security posture in plain language.

Affected policies: Which specific policies are involved in the finding, with links to the policy list.

Remediation: Step-by-step guidance for fixing the issue. For critical findings, simulation warnings are included when changes could affect users.

Expected outcome: What your security posture will look like after the fix is applied.

Actions you can take

IdentityOps does not modify your Conditional Access policies. It provides analysis and guidance — you make changes in the Entra Admin Center.

Filter by policy state: View only Enabled, Report-Only, or Disabled policies to focus your review.

Fix Highest Risk: Jump directly to the most critical finding with remediation guidance.

Expand findings: Each finding card shows the impact, affected policies, step-by-step remediation, and expected outcome.

Toggle view modes: Switch between Simple view (findings-first) and Advanced view (full policy table) depending on your workflow.

IdentityOps Recommendation

Start with MFA_GAP and LEGACY_AUTH_ALLOWED. These two findings alone cover the most common breach vectors in Entra tenants. Fix them before optimizing device compliance or guest policies.

Where teams usually go next

→ Review device compliance posture → Check app governance for permission scope risks → Set up alerts for CA finding changes