MattChatt.co.za

| Microsoft | Azure | Office 365 |

Subscribe to my YouTube channel

Connect with me on:

Discussion

/ Entra ID

How to Deploy Zero Trust in minutes

Deploy 14 Entra ID Conditional Access Policies in minutes to enable your Zero Trust security strategy

👉 Watch the video: https://youtu.be/n36FKIRqc6k

Microsoft 365 and Office 365 advanced deployment guides help you set up and deploy your tenant, apps, and services. They include best practices, security features, collaboration tools, and scripts for faster deployment.

You can access these guides in the Microsoft 365 admin center (requires admin access) or the Microsoft 365 Setup portal (open to everyone).

There is a new advanced deployment guide (adg) that showed up in the Microsoft 365 admin center as of March 2025. You can read the announcement blog post from Microsoft:- NEW Microsoft Entra advanced deployment guide: Deploy Conditional Access Policy templates. This guide is not in the open to everyone setup portal, you have to authenticate to your tenant to see this one.

New “Deploy Conditional Access (CA) Policies” guide

How to get to this guide

To access advanced deployment guides in the Microsoft 365 admin center, you need an admin role like Global Reader. Only those with the Global Administrator role can use the guides to modify tenant settings.

  1. In the Microsoft 365 admin center, go to the Home page.
  2. Find the Training, guides & assistance card and select Advanced deployment guides & assistance.
  3. If you don’t see that card, access the page directly at https://aka.ms/advanceddeploymentguides.
  4. From the list of guide types on the left, select All guides
  5. Then select Deploy Conditional Access (CA) Policies
  6. Click Get started

When you click on Get started, the guide will do some checks on your tenant for licenses available (Entra ID P1 or P2) to make sure you can deploy Conditional Access policies. It will also check whether or not Security Defaults is enabled on the tenant, because new tenants have Security Defaults enabled by… default even if you have Entra ID P1 licenses. Entra ID P2 licenses are required for the Risk Based policies to show up in the guide.

The guide then makes some suggestions such as creating emergency break-glass accounts to exclude from the CA policies created.

If your tenant has Security Defaults disabled, and you are ready with your Emergency break-glass accounts, you can continue. The account you are using to access this guide will automatically be excluded from all the resulting CA policies.

Account used to deploy CA policies is automatically excluded

When you create a Conditional Access policy using a template, only the user who creates the policy is excluded by default. If you need to exclude additional users or groups, you can easily adjust the policy after it’s been created. To do this, head to the Microsoft Entra admin center > Protection > Conditional Access > Policies, select the relevant policy, and update the exclusions to suit your needs.

Deploy Zero Trust templates

Now to the awesome part, deploying 14 CA policies using the advanced deployment guide.

From the Deploy Conditional Access (CA) Policy templates guide, you can select from 5 template categories. These are the same template categories that exist in Conditional Access > Create new policy from templates. We are going to choose the Zero Trust (Recommended) category:

You can review the policies available in this category but they are all listed in https://learn.microsoft.com/en-US/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=zero-trust#template-categories

Next is where you select the policies to deploy and either set the state to On, Report-only, or Off. I suggest scrolling down to the bottom of the list and selecting each one going up from the bottom, because as soon as you select one, the item expands and is jarring on the eyes, and means you have to scroll to select the next one. It’s a UI thing that I hate.

Select all the policies (or the ones you want to deploy) first, then go from top to bottom to select their state (On, Report-only or Off). By default, each policy is created in report-only mode, it’s recommended you test and monitor before turning on each policy.

Something this deployment and the new policy from template is missing, is the ability to use the Microsoft recommended naming standards for Conditional Access policies as documented at Plan a Microsoft Entra Conditional Access deployment – Microsoft Entra ID | Microsoft Learn

Next you will choose your authentication method (for the MFA policies). The one’s greyed out are already enabled in Authentication Methods, but you can enable more methods if you haven’t already, this will guide you through that process too

Next, is a review of what you have chosen, and there is an option to edit your choices if you change your mind.

After 10 seconds (I timed it), you get the confirmation of what was configured:

You can even send an email announcement to your organization from this page:

And that is it, policies deployed:

I did pick up a duplicate Require multifactor authentication for all users policy.

In Authentication Methods, the 3rd party OATH tokens was enabled for my tenant too.

If you want to run the wizard again, simply access it from this link:

https://admin.microsoft.com/Adminportal/Home?Q=ADG#/featureexplorer/security/RiskBasedConditionalAccess

Two ZT policies I noticed that are missing which I thought would be in here are the Require MFA for device registration – Microsoft Entra ID | Microsoft Learn and Block authentication flows with Conditional Access policy – Microsoft Entra ID | Microsoft Learn

Leave a Reply

Verified by MonsterInsights