A practical, deployable Zero Trust Conditional Access baseline.
Run the bootstrapper to install prerequisites, connect to Microsoft Graph, create named locations, deploy policies, and verify results.
cd "C:\Path\To\Zero-Trust-Conditional-Access-Playbook"
pwsh -ExecutionPolicy Bypass -File ".\scripts\bootstrap.ps1"
This repository provides a policy-as-code implementation of Microsoft Entra Conditional Access aligned to Zero Trust principles.
It is designed to help organizations move from basic MFA enforcement to a layered Zero Trust access model.
Included in this repository:
- Conditional Access policy JSON definitions
- PowerShell deployment scripts
- Automated named location creation
- Testing and validation procedures
- A one-command bootstrap deployment method
- Microsoft Entra administrators
- Identity and access engineers
- Security architects
- Microsoft 365 / Zero Trust practitioners
- Teams building a production-ready Conditional Access baseline
policies/ → Conditional Access policies (JSON + docs) scripts/ → Deployment, bootstrap, and automation docs/ → Validation and implementation guides images/ → Screenshots and diagrams
| Policy | Purpose |
|---|---|
| Require MFA | Enforce MFA across all users |
| Block Legacy Auth | Block basic authentication |
| Device Compliance | Require compliant devices |
| Admin Protection | Stronger controls for admins |
| Session Controls | Manage session lifetime |
| Location Policy | Restrict risky locations |
| Policy | Purpose |
|---|---|
| User Risk Policy | Respond to compromised accounts |
| Sign-in Risk Policy | Respond to risky sign-ins |
Risk-based policies are not just configuration. They require investigation and response.
- Identity Protection → Risky users
- Identity Protection → Risk detections
- Monitoring → Sign-in logs
- Require password reset
- Require MFA
- Confirm or dismiss risk
-
Require MFA challenge
-
Block high-risk attempts
-
Investigate:
- location anomalies
- device context
- sign-in patterns
- Validate policies in report-only mode
- Ensure remediation workflows are understood
- Test with non-production users
- Confirm P2 licensing is available
pwsh -ExecutionPolicy Bypass -File ".\scripts\bootstrap.ps1"See:
docs/validation-playbook.md
Validation includes:
- Sign-in log analysis
- Risk simulation
- Report-only evaluation
- Enforcement readiness
- Add break-glass account exclusions
- Test admin/service accounts
- Validate report-only results
- Confirm no lockout scenarios
- Verify explicitly
- Use least privilege
- Assume breach
Credential theft from unmanaged device:
Without Conditional Access:
- attacker gains access
- session persists
- lateral movement begins
With this playbook:
- MFA enforced
- device blocked
- risk triggers session revoke
- session controls limit persistence
- MVP Complete
- Bootstrap Automation Working
- Validation Ready
- Requires production hardening
Provide a repeatable, auditable, and scalable Conditional Access deployment model.
Most environments enable MFA but still remain exposed.
This project focuses on closing those gaps by implementing layered Conditional Access controls aligned with Zero Trust.
pwsh -ExecutionPolicy Bypass -File ".\scripts\bootstrap.ps1"Use only in authorized environments. No liability for misuse.
Not affiliated with Microsoft.
This is an independent project built in a personal capacity with no employer affiliation.