IT KORR Knowledge Center
Conditional Access Planning Workbook
A multi-phase rollout workbook for planning a Conditional Access implementation from baseline to advanced policy sets.
How to Use This Workbook
Unlike the per-policy Conditional Access Policy Worksheet, this workbook plans the overall rollout sequence across phases. Use it alongside the Conditional Access Planner tool, which generates the specific policy recommendations this workbook helps you sequence.
Phase 1 — Baseline (Target: Weeks 1-2)
- Policies: MFA for all users, block legacy authentication, break-glass exclusion.
- Stakeholders to involve: IT/security lead, at least one additional administrator for break-glass setup.
- Success criteria: Report-only testing shows no unexpected impact; policies enforced.
Phase 2 — Device & Risk (Target: Weeks 3-5)
- Policies: compliant device for sensitive apps, sign-in risk response, location-based blocking.
- Prerequisite: device enrollment/compliance coverage confirmed broad enough via Report-only logs.
- Success criteria: pilot group shows no unexpected lockouts before tenant-wide enforcement.
Phase 3 — Privileged Roles (Target: Weeks 6-7)
- Policies: phishing-resistant MFA for admins, shorter session timeout for sensitive apps.
- Prerequisite: phishing-resistant MFA methods (hardware key/passkey) provisioned for administrative accounts.
- Success criteria: all administrative accounts migrated and confirmed functioning under the new policy.
Ongoing — Review Cadence
- Review all active policies at least annually, or after any significant tenant change.
- Re-test any modified policy in Report-only mode before re-enforcing.
Related Resources
- Conditional Access Planner — /tools/conditional-access-planner
- Download: Conditional Access Policy Worksheet — /knowledge-center/cybersecurity/identity-access-management/downloads/conditional-access-policy-worksheet