Before You Start
Prerequisites
📋
Required Roles & Licences
🔹 Global Administrator or Conditional Access Administrator role in Microsoft Entra ID
🔹 Microsoft Entra ID P1 or higher licence assigned to all affected users
🔹 In this guide we use an example of Operations users added to an Ops Security Group
🔹 Microsoft Entra ID P1 or higher licence assigned to all affected users
🔹 In this guide we use an example of Operations users added to an Ops Security Group
Step 1
Sign in to the Admin Portal
01
Access Microsoft Entra Admin Center
🔸 Sign in to the Microsoft Entra admin center at entra.microsoft.com
🔸 From the left navigation pane, select All services
🔸 Search for and open Conditional Access
🔸 From the left navigation pane, select All services
🔸 Search for and open Conditional Access
Step 2
Create a New Conditional Access Policy
02
Create the Policy
🔸 Go to Policies
🔸 Select + New policy → Create new policy
🔸 Enter a descriptive policy name, for example:
🔸 Select + New policy → Create new policy
🔸 Enter a descriptive policy name, for example:
Ops_ConditionalAccess_Teams_MFA
Step 3
Assign Users and Groups
03
Target the Ops Security Group
🔸 Under Assignments, select Users or workload identities
🔸 Choose Select users and groups
🔸 Select the Ops Security Group (or your equivalent security group)
🔸 Choose Select users and groups
🔸 Select the Ops Security Group (or your equivalent security group)
✅
Best Practice: Avoid assigning Conditional Access policies directly to individual users. Always use security groups for easier management, scalability, and clear auditing.
Step 4
Select Cloud App — Microsoft Teams
04
Scope the Policy to Teams Only
🔸 Under Cloud apps or actions, select Select apps
🔸 Search for and choose Microsoft Teams
🔸 Search for and choose Microsoft Teams
Step 5
Configure Conditions (Optional but Recommended)
05
Tailor the Policy to Your Security Requirements
🔹 Under Conditions, configure based on your organisation's security needs:
🔸 Sign-in risk level — Low / Medium / High
🔸 Device platforms — Windows, Android, iOS, macOS
🔸 Locations — Trusted vs untrusted IPs
🔸 Client apps — Browser, Mobile apps, Desktop apps
🔸 Device state — Hybrid joined / Compliant devices
🔸 Sign-in risk level — Low / Medium / High
🔸 Device platforms — Windows, Android, iOS, macOS
🔸 Locations — Trusted vs untrusted IPs
🔸 Client apps — Browser, Mobile apps, Desktop apps
🔸 Device state — Hybrid joined / Compliant devices
💡
Example: Require MFA only when Ops users access Microsoft Teams from unmanaged devices or from outside corporate locations. This keeps the experience seamless on trusted devices while securing external access.
Step 6
Configure Access Controls — Grant
06
Require Multi-Factor Authentication
🔸 Open Grant
🔸 Select Grant access
🔸 Check Require multi-factor authentication
🔸 Click Select
🔸 Select Grant access
🔸 Check Require multi-factor authentication
🔸 Click Select
Step 7
Configure Session Controls (Optional)
07
Fine-Tune Session Behaviour
1. Open Session
2. Configure options such as:
🔸 App enforced restrictions — prevent download/print on unmanaged devices
🔸 Sign-in frequency — force re-authentication after a set period
🔸 Persistent browser session — control whether sessions remain signed in after the browser closes
2. Configure options such as:
🔸 App enforced restrictions — prevent download/print on unmanaged devices
🔸 Sign-in frequency — force re-authentication after a set period
🔸 Persistent browser session — control whether sessions remain signed in after the browser closes
Step 8
Enable and Create the Policy
08
Activate the Conditional Access Policy
🔸 Set Enable policy to On
🔸 Click Create
🔸 Click Create
Outcome
Result
✅
✅ Operations users will now be prompted for MFA when accessing Microsoft Teams, based on the conditions you configured.
✅ Improves security without impacting other applications — the policy is scoped exclusively to Microsoft Teams.
✅ Improves security without impacting other applications — the policy is scoped exclusively to Microsoft Teams.