IT KORR Knowledge Center
Conditional Access Policy Worksheet
A planning worksheet for designing Conditional Access policies before building them in the identity platform.
How to Use This Worksheet
Complete one row of this worksheet per planned policy before creating it in your identity platform. Planning the assignment, conditions, and grant controls on paper first surfaces policy conflicts and unintended scope before they reach production — see Microsoft Entra Conditional Access: A Practical Guide for the full policy-design walkthrough.
Per-Policy Planning Fields
- Policy name and stated intent (why this policy exists, in one sentence).
- Assignment — which users/groups and which applications.
- Conditions — sign-in risk, device platform, location, client app type.
- Grant control — MFA required, compliant device required, or block.
- Session controls, if any — sign-in frequency, app-enforced restrictions.
- Report-only test period start/end date and reviewer.
- Enforcement date, and rollback plan if unintended impact is found.
Baseline Policy Set to Plan First
- Require MFA for all users, all cloud apps.
- Block legacy authentication protocols.
- Require compliant or hybrid-joined device for sensitive applications.
- Require stronger (phishing-resistant) authentication for administrative roles.
- Break-glass accounts explicitly excluded from all of the above.
Related Resources
- Microsoft Entra Conditional Access: A Practical Guide — /knowledge-center/cybersecurity/identity-access-management/conditional-access-guide
- Identity & MFA Readiness Assessment — /tools/identity-mfa-readiness-assessment