Over the past years, I’ve been maintaining a Conditional Access baseline that organizations can use as a starting point when implementing or reviewing their own Conditional Access policies in Microsoft Entra ID. The latest version v2025-10 (October 2025) is now available on GitHub:
👉 https://github.com/kennethvs/cabaseline202510
This baseline contains a collection of policies that together form a strong security foundation for protecting access to Microsoft 365 and Azure resources. Each policy is structured according to a layered security model, covering both user and device-based conditions, while taking modern authentication methods and best practices into account.
About the Conditional Access baseline
The baseline serves as a reference implementation and can be used to:
- Compare your current Conditional Access configuration against a best practice baseline.
- Understand how specific policy combinations contribute to layered protection.
- Accelerate deployment of standardized Conditional Access frameworks across tenants.
All policies in this version were exported using the Intune Management tool created by Mikael Karlsson, and the included PDF overview was generated using the Conditional Access Documenter by Merill Fernando.
Relation to the Conditional Access Demystified whitepaper
Back in December 2022, I published the Conditional Access Demystified whitepaper and workflow cheat sheet, which explained the logic and dependencies between Conditional Access policies in detail:
📘 https://www.vansurksum.com/2022/12/15/december-2022-update-of-the-conditional-access-demystified-whitepaper-and-workflow-cheat-sheet/
While I no longer update the whitepaper itself due to time constraints, the baseline repository is kept current to reflect the latest Microsoft Entra features, recommendations, and lessons learned from real-world deployments.
Repository contents
The GitHub repository includes:
- ✅ The Conditional Access baseline JSON export (v2025-10)
- 🧾 A PDF report generated via Merill’s Conditional Access Documenter
- 🧰 Reference to export tooling used (Mikael Karlsson’s Intune Management scripts)
- 🗓️ Version history for tracking updates and changes across releases
You can find the latest release here:
🔗 https://github.com/kennethvs/cabaseline202510
Summary
Maintaining a well-structured Conditional Access baseline remains one of the most effective ways to secure Microsoft 365 environments while maintaining operational consistency across tenants. I will continue to keep this baseline updated to reflect the evolving Entra Conditional Access landscape and practical field insights.
If you are implementing Conditional Access in your own environment, I encourage you to review the baseline, compare it with your configuration, and adapt it to your specific security and compliance requirements.