Apply Conditional Access policies to the Microsoft traffic profile

With a dedicated traffic forwarding profile for your Microsoft traffic, you can apply Conditional Access policies to Microsoft traffic. With Conditional Access, you can require multifactor authentication and device compliance for accessing Microsoft resources.

This article describes how to apply Conditional Access policies to your Microsoft traffic forwarding profile.

Prerequisites

Create a Conditional Access policy targeting the Microsoft traffic profile

The following example policy targets all users except for your break-glass accounts and guest/external users, requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device when accessing Microsoft traffic.

Screenshot showing a Conditional Access policy targeting a traffic profile.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Identity > Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude:
      1. Select Users and groups and choose your organization's emergency access or break-glass accounts.
      2. Select Guest or external users and select all checkboxes.
  6. Under Target resources > Global Secure Access*.
    1. Choose Microsoft traffic.
  7. Under Access controls > Grant.
    1. Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device
    2. For multiple controls select Require one of the selected controls.
    3. Select Select.

After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
  • Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

Next steps

The next step for getting started with Microsoft Entra Internet Access is to review the Global Secure Access logs.

For more information about traffic forwarding, see the following articles: