Most Microsoft Entra ID Conditional Access deployments stop at enforcing MFA and requiring a compliant device. That's where the real risk begins, not where it ends.
In this session, I'll take you beyond the basics into the Conditional Access controls that actually change your security posture. We'll dig into capabilities that most teams either don't know exist or haven't configured correctly, including authentication strengths, authentication contexts, device filters, Continuous Access Evaluation, session controls, token protection, and policies for workload identities and service principals. These are areas that are often ignored but heavily targeted.
I'll also show you settings that are hiding in plain sight. Controls buried in the Conditional Access UI that give you a far higher level of granularity and stronger security than some of the more commonly used built-in options and we'll walk through how to ensure the strongest authentication methods are applied consistently, aligning every policy decision with zero trust principles across the board.
Beyond individual settings, this session tackles a problem almost every environment eventually hits: policy sprawl. Many Conditional Access deployments start strong and then collapse under their own complexity. Duplicate policies, conflicting conditions, and unclear naming turn what should be a security asset into an operational liability. I'll share scalable design patterns for structuring policies so they remain clear, maintainable, and auditable as your environment grows. You'll see real examples of sprawl and exactly how to consolidate it.
We'll also cover the tools and techniques for getting real insight into how your policies are actually behaving, not just how you think they're behaving. And we'll talk about the scenarios no one plans for, like locking out your own global admins, and how to build resilient break-glass access strategies so that never becomes a crisis.
Everything in this session comes from production. Policies that caused outages, designs that didn't scale, and lessons learned the hard way.