Conditional access with Multifactor authentication (MFA)

Microsoft Entra Conditional Access brings signals together, to make decisions, and enforce security policies. Multifactor authentication (MFA) protects customers identity by prompting them for a second verification method. In this demo a Conditional Access policy that's targeted to all users when the sign-in risk level is medium or high, prompts for MFA.


Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

Start by creating a Conditional Access policy to secure the application. Sign in to the Microsoft Entra admin center and browse to Protection > Conditional Access. Then, select New policy.

Give your policy a Name, for example sign-in risk.

Under Assignments, select the link under Users. Then, on the Include tab, select All users. On the Exclude tab, you can select users and groups for your organization's emergency access or break-glass accounts.

Under assignments, select Target resources. Then, On the Include tab, choose the Select apps option and click on the Select button. Find your app, select it, and then choose Select.

Select the link under the Conditions and select the link under the Sign-in risk. Then, for the Configure select Yes and select the High and Medium checkboxes.

Under Access controls > Grant, select Grant access. Then select Require multifactor authentication. With this grant type, users must complete additional security requirements like email, phone call, or text message.

Confirm your settings and set Enable policy to On. Select Create to create your policy.

Create conditional access policy

The following example creates a conditional access policy. This policy targets risk sign-ins for all users (excludes tenant global administrator). In the JSON below, replace the {web-or-mobile-app-ID} with your web or mobile application (App ID, not object ID). Note, you can add more applications.

    "templateId": null,
    "displayName": "Woodgrove demo - sign in risk",
    "state": "disabled",
    "sessionControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [
        "clientAppTypes": [
        "platforms": null,
        "locations": null,
        "times": null,
        "deviceStates": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        "users": {
            "includeUsers": [
            "excludeUsers": [],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
        "customAuthenticationFactors": [],
        "termsOfUse": [],
        "authenticationStrength": null