Skip to main content
KBY Technologies Logo
Graduate Track

Deploying Entra ID Conditional Access Without Locking Everyone Out

A staged, reversible method for enforcing MFA via Entra ID Conditional Access, covering break-glass accounts, Report-only validation, and rollback steps.

Jonah Blake 14 July 202611 min read Production Ready 45 min labEnterprise Networking Fundamentals

Mission brief

What you will achieve

Complete a production-safe implementation and leave with verification and rollback evidence.

Practical steps

5 guided stages

Follow these in order as your working checklist.

Time to set aside

About 45 minutes

Includes configuration, validation and rollback checks.

Tutorial navigation
Production note
Validate permissions, test changes in a non-production scope, record the previous state, and retain a rollback path before applying operational steps.

Before you begin

  • Entra ID role-based access administration
  • Basic understanding of MFA and identity protection
  • Familiarity with enterprise change management processes

Conditional Access is the control plane for identity security in Microsoft 365 and Entra ID. It evaluates every sign-in against a set of conditions — user, role, location, device state, application — and decides whether to grant, block, or challenge access. That power is exactly why it is also one of the fastest ways to lock an entire workforce out of production systems if deployed carelessly. A single misconfigured grant control, applied directory-wide with no staging, can strand thousands of users and every administrator who might fix it in the same instant. This tutorial walks through a production-safe rollout of a Conditional Access policy that requires multi-factor authentication for administrative roles, using staged enforcement, break-glass accounts, sign-in log evidence, and a rollback path you can execute in under two minutes. The goal is not just to enable a security control — it is to enable it in a way that survives an audit, a postmortem, and a Friday afternoon change window.

#Scenario

You have been asked to enforce MFA for all users assigned Global Administrator, Privileged Role Administrator, and Security Administrator roles in Entra ID. Your organisation has 4,000 users, a hybrid AD-to-Entra sync, and several service accounts with legacy authentication dependencies. A previous attempt at this rollout two years ago caused a partial lockout during a Friday afternoon change window, so leadership expects a documented, reversible process this time. That prior incident is the reason this tutorial treats Report-only mode, pilot scoping, and break-glass verification as mandatory gates rather than optional best practice — the organisation has already paid the cost of skipping them once.

#Prerequisites

  • Entra ID P1 or P2 licensing (Conditional Access requires at least P1; P2 additionally unlocks risk-based conditions if you plan to layer those in later)
  • An account with the Conditional Access Administrator role — not Global Administrator, per least-privilege practice. This role can create, edit, and enable Conditional Access policies without also holding rights over billing, Exchange, or other administrative surfaces that have nothing to do with this change
  • At least two break-glass emergency access accounts already provisioned, excluded from all Conditional Access policies, with credentials stored offline in a sealed vault (a physical safe, a hardware security module, or an equivalent control — not a password manager reachable through the same tenant you might be locked out of)
  • Access to the Entra sign-in logs and the Conditional Access “What If” tool
  • A named change record or ticket in your ITSM tool, even if your organisation’s change process is lightweight — this becomes the audit trail referenced throughout the rollout
  • A communication channel (Slack, Teams, or a distribution list) that reaches every account holding one of the three target roles, so pilot and enforcement notices are not sent into a void

#Roles and permissions you will actually touch

Because Conditional Access sits adjacent to several other administrative surfaces, it helps to know precisely which role does what before you start assigning access for this project. The table below maps the roles relevant to this rollout to the actions they permit, so you can request the narrowest role that still lets you complete the work.

RoleCan doCannot doUse for this rollout?
Conditional Access AdministratorCreate, edit, enable, and disable Conditional Access policies; use the What If toolAssign directory roles; manage break-glass account credentialsYes — primary role for Steps 2 through 5
Security ReaderView sign-in logs, Conditional Access policies, and audit logsEdit or enable any policyUseful for a second reviewer validating Step 3 evidence
Privileged Role AdministratorAssign or remove directory roles, including on break-glass accountsEdit Conditional Access grant controlsNeeded only if role assignments must change alongside the policy
Global AdministratorEverything above, plus tenant-wide configurationNothing, which is precisely the problemAvoid for this task; reserve for break-glass and emergencies

#Step 1: Verify break-glass accounts before touching anything

Before creating or editing any policy, confirm your emergency accounts are functional and excluded from Conditional Access scope. This is not a formality — it is the single control that turns a potential multi-hour incident into a two-minute fix.

  1. In the Entra admin center, go to Identity > Users and locate your break-glass accounts.
  2. Confirm each account has Global Administrator assigned and is not synced from on-premises AD (cloud-only accounts survive on-prem outages and cannot be affected by AD Connect sync failures).
  3. Go to Protection > Conditional Access > Policies, open every existing policy, and confirm both break-glass accounts appear in the Exclude users list.
  4. Perform a live sign-in test for each break-glass account from a private browser session. Confirm successful authentication with no MFA prompt (since they should also be excluded from any MFA registration campaign).
  5. Record the test timestamp, the account used, and the outcome in your change ticket. If an auditor later asks how you know the rollback path worked, this is your evidence.

Do not proceed to Step 2 until both accounts authenticate successfully. This is your rollback insurance policy, and skipping it is the single most common root cause of the kind of lockout this tutorial exists to prevent.

#Step 2: Build the policy in Report-only mode

  1. Create a new policy named clearly, for example CA-Admins-RequireMFA-v1. Version numbers in policy names make audit trails and rollback conversations much easier, especially six months later when someone asks why there are three similarly named policies in the tenant.
  2. Users: Include the directory roles Global Administrator, Privileged Role Administrator, and Security Administrator. Exclude both break-glass accounts explicitly, even though they should never hold these roles unnecessarily.
  3. Cloud apps: Select “All cloud apps” for admin-role coverage, since attackers pivot across services and a gap in one application is often the entry point used to escalate into another.
  4. Grant: Require multi-factor authentication.
  5. Enable policy: Set to Report-only. This is the control that prevents accidental lockouts — the policy evaluates and logs as if it were enforced, but does not block any sign-in.

A minimal representation of the target policy configuration, for reference when comparing against what you actually built in the portal:

1Name: CA-Admins-RequireMFA-v1
2State: reportOnlyMode
3Users.includeRoles: [Global Administrator, Privileged Role Administrator, Security Administrator]
4Users.excludeUsers: [breakglass-01@tenant.onmicrosoft.com, breakglass-02@tenant.onmicrosoft.com]
5Applications.includeApplications: All
6GrantControls.builtInControls: [mfa]
7GrantControls.operator: OR

#Step 3: Validate using sign-in logs, not assumptions

  1. Leave the policy in Report-only mode for a minimum of 5 business days to capture a full weekly authentication cycle, including any batch jobs or scheduled service account activity that only runs overnight or on weekends.
  2. Go to Identity > Monitoring & health > Sign-in logs, filter by the policy name, and review the “Conditional Access” tab for each sign-in event.
  3. Identify any sign-in marked as it would have been Failure under enforcement. Cross-reference these against known service accounts or automation identities holding admin roles — this is the most common source of production breakage.
  4. Use the What If tool (Protection > Conditional Access > What If) to simulate specific problem accounts against the policy and confirm expected behaviour before enforcement.
  5. Export the filtered log results and attach them to your change record as the evidence base for the enforcement decision in Step 5.

The table below summarises the evidence you should be collecting during the Report-only window and what each piece tells you before you make an enforcement decision.

Evidence sourceWhat it tells youAction if problem found
Sign-in logs, Conditional Access tab, “Report-only: Failure”Which accounts would be blocked under enforcementInvestigate account type; add exclusion or remediate before enforcing
What If simulation for a specific userWhether the policy logic matches your intent for that identityAdjust conditions, roles, or exclusions in the policy
Legacy authentication reportService accounts or apps unable to complete an MFA challengeMigrate to modern auth or app-based credentials before enforcing
Directory role assignment reportConfirms exactly which accounts fall inside policy scopeRemove unnecessary role assignments to shrink blast radius

#Step 4: Stage enforcement with a pilot group

Do not flip the policy from Report-only straight to enforced across the full admin population. Instead:

  1. Duplicate the policy as CA-Admins-RequireMFA-v1-Pilot, scoped to a security group containing 3-5 admins who are aware of the change and reachable in real time (Slack, Teams, or phone).
  2. Set this pilot policy to On (enforced) while keeping the original directory-role-wide policy in Report-only.
  3. Notify the pilot group directly before enabling, with a rollback contact and expected MFA prompt behaviour so nobody mistakes the new prompt for a phishing attempt.
  4. Monitor sign-in logs for the pilot group for 24-48 hours. Confirm successful MFA challenges and no unexpected “blocked” events.
  5. Ask each pilot participant to confirm in writing (even a one-line chat message) that they signed in successfully with the MFA prompt. Silence is not evidence.

#Step 5: Full enforcement and change record

  1. Once pilot results are clean, open a change record per your organisation’s change management process, referencing the Report-only validation data and pilot results as evidence.
  2. Switch the full CA-Admins-RequireMFA-v1 policy from Report-only to On.
  3. Disable or delete the pilot-scoped duplicate policy to avoid overlapping policy logic during future audits.
  4. Immediately verify: sign in as a non-break-glass admin account and confirm the MFA prompt appears as expected.
  5. Close the change record with the verification evidence attached, including the sign-in log entry showing successful enforcement, not just the policy state change.

#Monitoring after enforcement

Enforcement is not the end of the work. For the first two weeks after go-live, review the sign-in logs daily rather than weekly, filtering specifically for failures tied to the policy. Set up an alert, either through a log analytics workspace query or a scheduled export, that flags any admin-role sign-in failure attributed to this policy so you are not relying on a help desk ticket as your first signal. Pay particular attention to the first Monday morning after enforcement and the first month-end close, since both tend to surface service accounts or scheduled processes that were dormant during the Report-only window and did not appear in your original evidence set. If your organisation runs a monthly access review, add a check confirming the policy still targets exactly the three intended roles and that no new exclusions have been added without a corresponding change record.

#Rollback procedure

If enforcement causes unexpected lockouts:

  1. Sign in using a break-glass account (this is why Step 1 exists).
  2. Navigate to the policy and set Enable policy back to Report-only or Off. This takes effect within roughly one minute — there is no propagation delay comparable to DNS or on-prem group policy.
  3. Confirm affected users can now sign in normally by checking sign-in logs for successful authentication events.
  4. Document the failure mode in your change record, correct the policy scope or exclusions, and return to Step 2 (Report-only) rather than re-enforcing directly.
  5. Notify affected users and the pilot channel that the rollback is complete and that normal sign-in behaviour has resumed, so help desk tickets do not continue accumulating against a resolved issue.

#Common failure modes

  • Service accounts with legacy authentication holding admin roles cannot complete MFA and fail silently until enforcement — caught in Step 3 if sign-in logs are reviewed properly.
  • Break-glass accounts accidentally in scope because a directory role was added to one after the exclusion list was configured — re-verify exclusions any time role assignments change.
  • Named location misconfiguration if you later add trusted IP conditions — a misdefined CIDR range can block an entire office rather than exempt it.
  • Policy name collisions from previous rollout attempts leaving orphaned Report-only policies that confuse audit reviews — clean up duplicates after each stage.
  • Scope creep during pilot, where additional roles or groups get added to the pilot policy informally without updating the change record, making the eventual full-enforcement evidence set inconsistent with what was actually tested.
  • Delayed sync between on-premises role changes and Entra, which can make an account appear excluded in Entra when its underlying AD group membership has already changed — always verify directly in the Entra admin center, not in on-prem tooling.

#Change control notes

Treat this rollout as a standard change with a documented back-out plan, not an emergency change executed under time pressure, even though the underlying risk being addressed — unprotected privileged accounts — can feel urgent. The five-day Report-only window and the 24-48 hour pilot window are not arbitrary; they are long enough to capture weekly and daily batch cycles that a same-day change would miss entirely. If leadership pushes to compress the timeline, the acceptable trade is not skipping Report-only mode — it is watching the sign-in logs more frequently during a shorter window and being explicit in the change record about the reduced coverage. Every stage described above — break-glass verification, Report-only validation, pilot enforcement, full enforcement, and rollback if needed — should leave a timestamped artefact in the change record: a screenshot, a log export, or a written confirmation. Two years from now, when someone asks why this policy exists and how it was tested, that trail is the answer.

Conditional Access rollout failures are almost always process failures, not technical ones — the policy engine behaves predictably once you understand it. Report-only mode, staged pilot groups, and verified break-glass access are what separate a routine security improvement from an incident bridge call. The technical steps in this tutorial are straightforward enough that a confident administrator could complete them in an afternoon; the discipline of waiting five business days for Report-only evidence, notifying a small pilot group before touching production, and writing down every verification step is what actually prevents the Friday afternoon lockout that prompted this project in the first place. Treat every enforcement change as a two-way door: know exactly how you will reverse it before you turn it on, keep the break-glass accounts tested and current, and you will rarely need to use them.

Advanced suggested reading

Ready to go deeper?

These articles come from KBY’s senior engineering editorial. Expect denser architecture, fewer introductory explanations and deeper production trade-offs.

Leaving Graduate Track
Reader Interaction

Comments

Add a thoughtful note on Deploying Entra ID Conditional Access Without Locking Everyone Out. Comments are checked for spam and held for moderation before appearing.

Loading comments...

Loading anti-spam check...

Graduate Track editor

Jonah Blake, Graduate Track editor

Jonah Blake

Part of KBY Technologies’ dedicated early-career editorial team, focused on practical enterprise execution and production-safe engineering habits.

Continue the track

Related Graduate tutorials

View learning path