Important! This blog post has been deprecated and replaced by this blog post.
I’ve been spending the last couple of weeks in me and my families off-grid cabin with no running water and no electricity. It’s a primitive lifestyle and, ironically enough, that’s where I go to fuel my batteries. Now I’m online ones again and ready for a new year of exciting Microsoft cloud adventures.
During my summer vacation I’ve gotten a lot of requests for an Excel version of my Conditional Access policy design baseline. The baseline is in version five and it has protected tens of thousands of users for the last two years. Conditional Access strategies has been one of my primary focus areas and more and more customers are looking into zero-trust as their next step on the security journey.
See my original post from 2018
Feel free to implement this baseline if you find it valuable. Also, feel free to use the Excel spreadsheet as a template for your own design. I’ll make sure to PM anyone who expressed their interest in the Excel version.
Download the Excel version here!
Please follow me here, on LinkedIn and on Twitter!
Daniel Chronlund Cloud Security Blog 
Hi Daniel, thanks for sharing this! How do you do to manage the Hybrid AD device group Intune Enrollment? I mean, you have some kind of dynamic group or you must to put every managed computer in this group? I’m asking you this because of the configuration” Grants access to managed Windows devices that are Hybrid Azure AD Joined (joined to on-prem AD and Azure AD).”
Hi! No group is used for this. Conditional Access detects a Windows 10 device that’s using a modern authentication client in the policy you mentioned. If those conditions are met, Hybrid Azure AD Join is required or the authentication is blocked. The policy is applied to all users so no one slips by.