Conditional Access Planner
Work through baseline, device-based, risk-based, and privileged-role questions to generate a prioritized, ready-to-build Conditional Access policy plan. No tenant access required.
Policy Planner
Work through each section at your own pace. Every question maps to a specific, ready-to-build policy recommendation. Results are shown immediately — no email required.
Identity & Access Tool
Conditional Access Planner
Work through baseline, device-based, risk-based, and privileged-role policy questions to generate a prioritized, ready-to-build Conditional Access policy plan — with the exact assignment, condition, and grant control for each recommended policy.
FAQ
Common Questions
Does this tool build the policies directly in our tenant?
No. This is a planning tool — it generates a specific, prioritized recommendation for each policy (assignment, condition, grant control) that you then build in your identity platform's admin console, testing each in Report-only mode first.
Do we need Conditional Access licensing to use the recommendations?
Conditional Access itself requires Entra ID P1 or higher. If you don't have that tier, several baseline recommendations (like blocking legacy authentication) can still be approximated through Security Defaults, though with less granular control.
Why does the plan emphasize Report-only mode so heavily?
The most common Conditional Access incident is an administrator enforcing a new tenant-wide policy that unexpectedly matches their own sign-in, locking themselves out. Every recommendation in this plan assumes Report-only testing first — see Microsoft Entra Conditional Access: A Practical Guide for the full reasoning.
In what order should we actually build these policies?
Baseline policies (MFA for all users, blocking legacy authentication, break-glass exclusion) should come first, since later, more targeted policies assume that foundation is already in place. The planner groups recommendations in this order for exactly that reason.
Related Identity & Access Guidance
The full implementation guide behind this planner.
Broader identity and authentication posture assessment across six areas.
Conditional Access policy design and implementation support.
Operational Support
Need help building and testing these policies?
IT KORR can design, build, and safely roll out your Conditional Access policy set — including Report-only testing, pilot groups, and break-glass account setup — without the risk of a self-inflicted tenant lockout.
No commitment required — we respond within one business day.