Conditional Access Policy: Your Conditional Access Has Trust Issues (Here’s How to Fix Them)

(00:00:00) Conditional Access Troubleshooting (00:00:30) Overbroad Exclusions: The Invisible Leaks (00:04:56) Device Compliance Gaps: Setting Clear Boundaries (00:09:02) Token Theft Scenarios: Protecting Against Session Hijacking (00:12:46) Building a Calming Baseline (00:18:06) Safe Rollout Test Plan (00:20:34) Monitoring and Alerts for Healthy CA (00:25:02) Closing Thoughts and Next Episode Preview In this episode of M365.fm, Mirko Peters explains why your Conditional Access policy isn’t misbehaving — it’s overwhelmed by mixed messages, permanent exclusions, and unclear device signals. You’ll see how over‑broad exclusions, fuzzy device compliance, and unprotected token paths quietly turn “Zero Trust” into “sometimes trust,” creating exactly the bypasses attackers love.WHAT YOU WILL LEARNWhy exclusions for VIPs, break‑glass, and partner domains slowly become permanent backdoorsHow to spot leaking trust using Entra sign‑in logs and “Not applied” Conditional Access resultsHow to replace static exclusions with short‑lived Emergency Bypass using authentication contextWhy “Require compliant device” often fails in practice — and how to separate compliant, joined, registered, and unknown device statesHow to design fallback policies so you can remove risky exclusions without locking out the businessWhere token theft fits into this story, and why session lifetime, sign‑in frequency, and continuous access evaluation matter more than you thinkTHE CORE INSIGHTConditional Access is only as healthy as the boundaries you give it. If you rely on wide exclusions and vague device states, the engine spends more energy deciding who not to protect than enforcing Zero Trust.Mirko shows a better pattern: start with inclusive policies (all users, all apps), eliminate permanent exclusions, and route true exceptions through a time‑bound Emergency Bypass context with clear approvals and logs. Then, clarify your device tiers (compliant, AAD joined, hybrid joined, registered) and design policies that greet each tier with the right level of friction instead of a single “compliant or blocked” toggle. The result is a Conditional Access layer that protects first, allows relief intentionally, and stops attackers from hiding in your comfort settings.WHO THIS EPISODE IS FORThis episode is ideal for identity architects, security engineers, and Microsoft 365 / Entra ID admins responsible for Conditional Access, device requirements, and emergency access patterns. If your policies “work” but you’re relying on exclusions, trusted locations, and vague device settings to keep people happy, this conversation will give you a field‑tested way to heal your Conditional Access trust issues without breaking your users.ABOUT THE HOSTMirko Peters is a Microsoft 365 consultant and digital workplace architect focused on building identity‑first, Conditional‑Access‑driven security on the Microsoft cloud. Through M365.fm, Mirko shares practical policy patterns, investigation stories, and governance models that help organizations turn Conditional Access from a scary toggle into a reliable core of their Zero Trust design.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.