Free tool · 5 minutes · Microsoft Entra ID
Score your Microsoft Entra ID Conditional Access posture against the layered baseline that Microsoft and ASD recommend. Most tenants run two or three policies. The recommended set is closer to ten. Five minutes, one PDF.
10 questions · 4 domains
Score your Microsoft Entra ID Conditional Access posture against the layered baseline that Microsoft and ASD recommend. Pick the option closest to your tenant's current configuration.
Domain 1
The non-negotiable starting set: block legacy authentication, require MFA for all users, require stronger authentication for admins.
Have you blocked legacy authentication protocols (POP, IMAP, SMTP basic, etc.) tenant-wide?
Source: Microsoft Learn: Block legacy authentication; CIS M365 Benchmark.
Is multi-factor authentication required for all users?
Source: Microsoft Learn: Require multi-factor authentication; ASD ISM (multi-factor authentication).
How is admin access protected?
Source: Microsoft Learn: Privileged Identity Management; ASD ISM (privileged user activities).
Domain 2
Identity Protection sign-in and user risk policies that respond automatically to anomalous behaviour.
Is the Identity Protection sign-in risk policy enabled?
Source: Microsoft Learn: Sign-in risk-based Conditional Access policies.
Is the Identity Protection user risk policy enabled?
Source: Microsoft Learn: User risk-based Conditional Access policies.
Domain 3
Require compliant devices for sensitive apps, trusted locations for admin actions, and country restrictions where appropriate.
Are sensitive applications gated to compliant or hybrid-joined devices only?
Source: Microsoft Learn: Conditional Access compliant device requirement.
Are sign-ins restricted by location or country?
Source: Microsoft Learn: Location-based Conditional Access policies.
Domain 4
Token protection, continuous access evaluation, sign-in frequency for sensitive apps, and MFA for guest users.
Is token protection or continuous access evaluation enabled for sensitive sessions?
Source: Microsoft Learn: Continuous access evaluation; Token protection in Conditional Access.
Are guest users (B2B) covered by MFA and access controls?
Source: Microsoft Learn: External identities and Conditional Access; Entra ID access reviews.
Are Conditional Access policies monitored and reviewed on a defined cadence?
Source: Microsoft Learn: Conditional Access insights and reporting; ASD ISM (audit logging).
Indicative self-assessment only. For verified results Frontrow Technology runs an in-tenant Conditional Access audit against the customer's Entra ID configuration.
What the checker covers
Domain 1
Microsoft's Conditional Access deployment guide recommends every tenant block legacy authentication and require MFA across all users as the first two policies. ASD's Information Security Manual aligns. These three policies block the vast majority of identity attacks against Microsoft 365 tenants.
Domain 2
Identity Protection (P2 licensing) detects sign-ins from anonymous IPs, atypical travel, leaked credentials and other risk signals. Conditional Access can use these signals to block, require MFA, or force a password change. Most tenants have the licence but never enable the policies.
Domain 3
Microsoft's guidance and ASD's ISM both recommend gating sensitive apps and admin actions behind compliant-device and trusted-location requirements. Country-based restrictions reduce the attack surface from regions with no business reason to access the tenant.
Domain 4
Token theft is the dominant attack vector against MFA-protected tenants in 2025-26. Token protection and continuous access evaluation reduce the attack window. Guest users frequently bypass MFA in misconfigured tenants and need explicit policy coverage.
Frequently asked questions
A Conditional Access policy in Microsoft Entra ID is an if-this-then-that statement applied at sign-in. The 'if' is conditions like user, location, device state, application, or sign-in risk. The 'then' is grant or block, with controls like requiring MFA, requiring a compliant device, or requiring sign-in frequency. Conditional Access is the primary identity perimeter control in Microsoft 365.
Microsoft's deployment guide and ASD's Information Security Manual both recommend a layered baseline of roughly 10 policies covering identity, risk, device, location, session and guest controls. Most Australian mid-market tenants Frontrow audits run two to three policies. The gap is consistent.
Legacy authentication protocols (POP, IMAP, SMTP basic, MAPI over HTTP) do not support modern authentication or MFA. They are responsible for the majority of password-spray and credential-stuffing attacks against Microsoft 365 tenants. Microsoft has been deprecating legacy auth on the platform side, but every tenant still needs an explicit Conditional Access policy that blocks it.
Conditional Access enforces policies at sign-in. Identity Protection (P2 licensing) detects risk signals (anonymous IP, atypical travel, leaked credentials, password spray) and assigns sign-in and user risk scores. Conditional Access then uses those signals as conditions in policies. They work together. Identity Protection without Conditional Access policies is detection without enforcement.
Most baseline policies (block legacy auth, require MFA, require compliant device, location and country) work with Entra ID P1 included in Microsoft 365 Business Premium and E3. Identity Protection sign-in and user risk policies require P2 (included in E5 or as a separate add-on). The ten-policy baseline assumes P2 for the risk policies. Without P2 the rest still apply.
Use report-only mode. Every Conditional Access policy can be deployed in report-only mode first, which logs the policy outcome without enforcing it. Run report-only for one to two weeks, review the sign-in logs for policy impacts, fix the exceptions, then move to enforcement. Frontrow uses this pattern for every Conditional Access deployment.
Every scoring threshold cites a primary source: Microsoft Learn Conditional Access deployment guide, ASD Information Security Manual, and the CIS Microsoft 365 Foundations Benchmark. The methodology is authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
A direct review of the customer's Entra ID configuration via Microsoft Graph (rather than self-reported answers), gap report against the Microsoft and ASD recommended baseline, recommended policy set with impact analysis, and a deployment plan with report-only mode validation. Indicative pricing on request.
