In-Depth
Expert Explains Conditional Access and Zero Trust Implementation in Microsoft Entra
At today's online summit hosted by RedmondMag, titled "Cloud Control: Securing Access and Identity in the Microsoft SaaS Stack," longtime Microsoft MVP and Principal Cloud Architect Joey D'Antoni explored how organizations can strengthen security using Conditional Access and Zero Trust within Microsoft Entra, the company's rebranded Azure Active Directory platform.
His session, "Mastering Identity and Access in Microsoft Entra," provided practical guidance on building a unified, modern identity strategy and avoiding common missteps. Luckily for those who couldn't attend virtually, it is being made available for on-demand replay thanks to the sponsor of the three-part summit, Veeam.
"You can lock yourself out of your Azure tenant with Conditional Access. Ask me how I know -- I've done it."
Joey D'Antoni, Principal Cloud Architect at 3Cloud
D'Antoni's session was too chock full of front-lines information to present in a single article here, but following is a taste of what he had to say about Conditional Access and Zero Trust in Entra.
Identity as the New Perimeter
[Click on image for larger view.] The Evolving Identity Landscape (source: Joey D'Antoni).
D'Antoni began by outlining how enterprise identity has become the core of modern security strategy. With organizations now running hundreds of cloud apps and supporting hybrid workers on multiple devices, "identity is really the new security parameter," he said. Threats such as credential theft, token replay, and unmanaged shadow IT have made it crucial to control access consistently across all environments.
He explained that Microsoft Entra unifies identity and network access management under one umbrella, providing centralized visibility across Entra ID (formerly Azure Active Directory), Permissions Management, and Verified ID. "It's just so important."
Building Toward Zero Trust
[Click on image for larger view.] Core Identity Concepts (source: Joey D'Antoni).
Zero Trust, D'Antoni emphasized, is not a product but a security framework rooted in continuous verification. It applies principles such as least privilege, multifactor authentication (MFA), and device trust to every access request. "You always authenticate and authorize based on all of the available data points," he said. The goal is to minimize exposure even if a breach occurs, assuming that no network or user can be inherently trusted.
He explained how Conditional Access enforces those principles in real time by evaluating context--who the user is, what device they're on, and where they're connecting from--before granting access. "It's really, really difficult to secure your entry environment without having, without having Conditional Access," D'Antoni said.
Conditional Access in Practice
[Click on image for larger view.] Conditional Access in Practice (source: Joey D'Antoni).
D'Antoni called Conditional Access "another key part of Entra" in Microsoft Entra. He encouraged attendees to move beyond default settings and implement tailored policies that reflect their organization's specific risk profile. Examples include requiring MFA for administrators, blocking legacy authentication protocols, and restricting access based on device compliance.
He recommended a gradual rollout using the feature's report-only mode to gauge the impact of new policies before enforcing them. "Report-only is your friend," he said, explaining how he tests Conditional Access policies one at a time before activation. To prevent accidental lockouts, he advised maintaining emergency or "break-glass" accounts excluded from Conditional Access rules. "You can lock yourself out of your Azure tenant with Conditional Access. Ask me how I know -- I've done it."
Beyond Passwords: Modern Authentication
[Click on image for larger view.] Beyond Passwords: Modern Authentication (source: Joey D'Antoni).
D'Antoni discussed Entra's support for passwordless authentication, which he described as a critical evolution for both usability and security. He highlighted methods such as Windows Hello, FIDO2 keys, and the Microsoft Authenticator app, all of which reduce reliance on credentials that can be stolen or phished. "Windows Hello is the most frictionless experience."
Managing Privileged Access
[Click on image for larger view.] Managing Privileged Access (source: Joey D'Antoni).
Privileged Identity Management (PIM) within Entra was another major focus. D'Antoni urged administrators to adopt just-in-time elevation for admin accounts and to audit privileged roles regularly. "You shouldn't be logged into your machine as a highly privileged account all the time," he said. PIM, he noted, "Privilege identity management takes us a step further."
Continuous Monitoring and Improvement
[Click on image for larger view.] Monitoring & Continuous Improvement (source: Joey D'Antoni).
D'Antoni closed by stressing the importance of maintaining visibility into sign-in activity, risk detection, and audit logs using Entra ID Protection. Integrations with Microsoft Defender and Sentinel can provide automated responses and ongoing posture assessments. "your security posture isn't really static."
He summarized his top recommendations simply: "If you didn't learn anything from today, use MFA everywhere you need Conditional Access to manage Entra, look at passwordless authentication."
And More
The session also touched on identity lifecycle automation, managed identities for non-human accounts, and decentralized credential verification through Entra Verified ID.
While replays are convenient and informative -- especially up-to-date sessions that just concluded -- attending live events offers advantages, including the ability to ask specific implementation questions and receive guidance in real time (not to mention receive free prizes, in this instance an XBox Series X Console provided by the sponsor, Veeam, which also presented a session in the summit). With that in mind, here are some upcoming online webcasts from RedmondMag:
About the Author
David Ramel is an editor and writer at Converge 360.