Conditional Access Policies [CHK-1114]
This check retrieves all Conditional Access policies in the tenant and reports their configuration state. It provides an overview of how many policies are enabled, disabled, or in report-only mode, along with a detailed breakdown of each policy's scope — including targeted users, groups, roles, applications, and locations.
Rationale
Conditional Access is the primary mechanism in Entra ID for enforcing access controls such as MFA, device compliance, location-based restrictions, and session management. Without Conditional Access policies, all users can authenticate from any device, any location, and any application without additional verification — leaving the tenant fully exposed to credential-based attacks.
Threat actors routinely exploit tenants that lack Conditional Access. A compromised password — obtained through phishing, credential stuffing, or a data breach — gives an attacker unrestricted access to all Microsoft 365 services. With Conditional Access policies in place, even a compromised credential can be rendered useless if the attacker cannot satisfy the additional requirements (e.g., MFA challenge, compliant device, or trusted location).
Beyond initial access, Conditional Access provides defense in depth against persistence and lateral movement. Policies that restrict admin portal access, enforce session timeouts, or require compliant devices make it significantly harder for an attacker to maintain their foothold or escalate privileges.
This check exists just to collect them and make them visibile inside of the app.