https://7f57629a.jeremiahwindle.pages.dev/tags/mfa/Recent content in Mfa on Jeremiah WindleHugoen-usSat, 28 Feb 2026 00:00:00 +0000https://7f57629a.jeremiahwindle.pages.dev/blog/conditional-access-policies/Sat, 28 Feb 2026 00:00:00 +0000https://7f57629a.jeremiahwindle.pages.dev/blog/conditional-access-policies/Conditional Access is one of those features where the gap between “we have it enabled” and “we have it configured correctly” is wide enough that attackers drive through it regularly. I’ve managed CA policies across 100+ organizations at two MSPs. Here’s the framework I’ve landed on. The Foundation: What CA Actually Is Conditional Access is Entra ID’s policy engine. Every sign-in attempt hits it, and the policy evaluates conditions — who is signing in, from where, on what device, to what application — and makes a decision: allow, block, or allow with requirements (MFA, compliant device, etc.