Ezras.Work

Implementing Conditional Access and MFA in Microsoft Entra (Artifact 2)

Introduction

For Artifact 2, I worked inside my Microsoft Entra ID E5 tenant to move from the broad, all‑or‑nothing protections of Security Defaults to a more flexible, policy‑driven access model using Conditional Access. The goal was to enforce MFA through policy, apply location‑based access controls, and design a break‑glass emergency access account. The screenshots included throughout this artifact document each configuration and validation step.

Confirming Tenant and Administrator Context

I began by confirming that I was working in the correct tenant and that my administrative account had the necessary privileges.
Screenshot reference: The tenant overview shows Ezras Work with my Global Administrator role active, validated through Privileged Identity Management.

This establishes the administrative context for all subsequent policy work.

Admin.Ezra Global Admin PIM Elevation

Disabling Security Defaults

Security Defaults were previously disabled in Artifact 1. This is required because Security Defaults enforce MFA and other protections in an all‑or‑nothing manner, preventing granular Conditional Access policies from taking effect.

Screenshot reference: The Security Defaults page shows the setting as Disabled, with the reason “My organization is planning to use Conditional Access.”

This confirms that the tenant is ready for policy‑based MFA enforcement.

Step 2 Security Defaults Off

CA01 – Require MFA for All Users

The first Conditional Access policy enforces MFA for all users in the tenant.

Configuration

Screenshot references:

Step 3.1 Policy Overview Page

Step 3.2 Grant Control Require MFA

Testing I signed in as a non‑admin test user (User.Charlie) in a private browser session.

Screenshot reference: The MFA prompt shows the Authenticator number‑matching challenge for user.charlie@ezraswork.onmicrosoft.com.

Step 3.3 User MFA Prompt

This confirms that CA01 successfully enforced MFA.

CA02 – Block Sign‑In From Non‑US Locations

The second policy demonstrates location‑based access control.

Named Location Creation I created a named location called US Only, configured using IP‑based country detection.

Screenshot reference: The Named Locations screen shows US Only with the United States selected.

Step 4.1 Named Locations

Policy Configuration

Screenshot references:

Step 4.2.1 Policy Overview Page with Locations

Step 4.2.2 Block All Not from US Locations

Testing To validate the policy, I connected to a VPN endpoint outside the United States.

Screenshot reference:

Step 4.2.3 Blocked Albania Access

This demonstrates that CA02 correctly blocks sign‑ins originating outside the allowed region.

Break‑Glass Emergency Access Account

A break‑glass account ensures that administrators can still access the tenant even if Conditional Access or MFA becomes overly restrictive. In real environments, these accounts are intentionally difficult to identify — they typically do not use obvious usernames like “breakglass” or “emergencyadmin.” Instead, they follow naming conventions that blend into the directory to avoid becoming easy targets during reconnaissance.

Creation and Role Assignment I created BreakGlass@EzrasWork.onmicrosoft.com and assigned it the Global Administrator role.
Screenshot reference: Assigned roles screen showing BreakGlass with an active Global Administrator assignment.

Step 5.2 Break-Glass User Role

Excluding Break‑Glass From All CA Policies I excluded the BreakGlass account from CA01, CA02, and the legacy authentication block policy.
Screenshot references: Exclusion lists for each policy showing BreakGlass and my primary admin account.

Step 5.3.1 Break-Glass Block Legacy Authentication Exclusion

Step 5.3.2 Break-Glass Non-US Locations Exclusion

![Step 5.3.3 Break-Glass MFA Requirement Exclusion](assets/artifact2/Step_5.3.3_BreakGlass_MFA_Requirement_Exclusion.png

Break‑Glass Monitoring In a production environment, any sign‑in from a break‑glass account is treated as a high‑severity security event. These accounts should never be used during normal operations, so a successful sign‑in typically indicates:

For that reason, organizations configure real‑time sign‑in alerts for break‑glass accounts. These alerts notify Global Administrators or the security team immediately whenever the account is used. This monitoring acts as a compensating control for the fact that break‑glass accounts bypass MFA and Conditional Access.

Why Most Users Cannot Identify Break‑Glass or Privileged Accounts In enterprise environments, only users with the correct directory roles (such as Global Administrator, Privileged Role Administrator, or specific read‑only directory roles) can filter or enumerate accounts by role. Standard users — even those with elevated access in other systems — cannot list privileged identities or narrow down accounts by role assignment.

This prevents internal reconnaissance and reduces the risk that someone could identify or target emergency access accounts. I’ve seen this firsthand in a real corporate environment: without the proper directory role, you simply cannot filter users by “Global Administrator” or “Privileged Role” to discover who holds elevated access.

Validation I tested the break‑glass account by signing in from a VPN endpoint outside the US.
Screenshot references:

Step 5.4.1 Break-Glass Sign-in From Austria

Step 5.4.2 Break-Glass Sign-in From Austria Logs

This confirms that the break‑glass account bypasses all Conditional Access policies and remains available for emergency use.

Takeaways

This artifact demonstrates the core responsibilities of an IAM analyst:

By replacing Security Defaults with granular Conditional Access policies, enforcing MFA, restricting access based on location, and validating a break‑glass account, I built a secure and recoverable identity foundation inside my Entra tenant.