Microsoft 365 E3 & E5 — Conditional Access Controls Map

How Conditional Access works:

Policies follow an IF/THEN model. IF a set of signals and conditions match (user, location, device, app, risk), THEN enforce access controls (block, require MFA, require compliant device, etc.) and optionally apply session controls. E5 adds risk-based intelligence, real-time session proxy, and identity governance that fundamentally expand what "conditions" and "controls" can do.

Included in E3 (Entra ID P1)

Requires E5 (Entra ID P2)

Requires separate add-on

Policy evaluation flow

1 Signals

User / Group / Role

IP / Named location

Device / Platform

Target app / resource

Risk level (E5)

ID Protection (E5)

2 Conditions

Device platform match

Location include / exclude

Client app type

Filter for devices

Auth flow (Preview)

Sign-in risk level (E5)

User risk level (E5)

Service principal risk (E5)

3 Decision

Block access

Grant access

Grant with controls

4 Grant Controls

Require MFA

Require auth strength

Compliant device

Hybrid joined device

Approved client app

App protection policy

Password change (E5)

5 Session Controls

Sign-in frequency

Persistent browser

App enforced restrictions

Continuous access eval

Token protection (Preview)

CA App Control (E5)

Real-time DLP proxy (E5)

Policy logic model (E3 + E5 combined)

Assignments (Who + What + Where)

Users & Groups Cloud apps or actions Auth context Workload identities (E5) Agent identities (E5 Preview)

AND

Conditions Match

Device platform Network location Client app type Device filter Auth flow (Preview) Sign-in risk (E5) User risk (E5) Service principal risk (E5) Insider risk (Purview)

THEN

Enforce Controls

Block access Require MFA Require auth strength Compliant device Hybrid joined device Approved client app App protection policy Terms of use Password change (E5)

Session Controls (optional)

Sign-in frequency Persistent browser App enforced restrictions Continuous access eval Disable resilience defaults Token protection (Preview) CA App Control (E5 Defender) Global Secure Access profile

Grant control logic:

When multiple grant controls are selected, choose "Require ALL" (AND) or "Require ONE" (OR). Default is AND. Evaluation order: MFA first, then device state, then Terms of Use. E5 adds the "Require password change" grant control for risk remediation, which must target All resources and cannot combine with other controls.

What E5 fundamentally changes:

E3 policies are static — they enforce rules based on conditions you define manually (location, platform, group membership). E5 adds dynamic, ML-driven risk signals that adapt in real-time. A sign-in from an impossible travel location or a password spray attack triggers enforcement automatically without predefined rules. E5 also adds real-time session proxy (Defender for Cloud Apps) that can inspect and control what happens inside a session — blocking downloads, redacting sensitive data, preventing copy/paste — capabilities E3 cannot touch.

Users, Groups & Roles

Who the policy targets

All users / Specific users & groups

Include or exclude by user, security group, or dynamic group membership

Directory roles

Target by Entra admin role (Global Admin, Exchange Admin, etc.)

Guest & external users

B2B guests, external org members, service providers

E5 adds

Workload identities

Service principals and app registrations. Block by IP range or risk level. Can't use MFA — only block access. Requires Workload Identities Premium.

Agent identities (Preview)

AI agent workloads evaluated with agent-specific risk signals. Extends Zero Trust to autonomous agents.

Cloud Apps & Actions

What resources trigger the policy

All resources / Select specific apps

Target Office 365, Azure portal, custom SAML/OIDC apps, or all cloud apps at once

User actions

Authentication context

Step-up auth for sensitive actions within apps (e.g., access a sensitive SharePoint site, activate a PIM role)

Network Locations

Where access originates

Named locations (IP ranges)

Define corporate IP ranges as trusted. Include/exclude from policies.

Countries / regions

Block or allow by geographic location via IP geolocation

Compliant network (GSA)

Global Secure Access compliant network location check

Device Conditions

Platform and device-level filters

Device platforms

Android, iOS, Windows, macOS, Linux (detected via user-agent, unverified)

Filter for devices

Rule-based include/exclude on device properties: OS version, trust type, manufacturer, model, compliance state, extension attributes

Client apps

Browser, mobile/desktop apps, Exchange ActiveSync, other (legacy) clients

Authentication flows (Preview)

Block or control device code flow and authentication transfer between devices

Risk-Based Conditions

Dynamic ML-driven signals — E5 / P2 only

Sign-in risk level

Low / Medium / High — ML-scored probability that an auth request isn't from the legitimate user. Detects impossible travel, password spray, anonymous IP, atypical travel, and 15+ other patterns.

User risk level

Low / Medium / High — cumulative risk that a user's identity is compromised. Aggregates leaked credentials, anomalous activity, attacker-in-the-middle, and more.

Service principal risk

Risk detection for non-human workload identities — anomalous credential usage, suspicious sign-in patterns. Requires Workload Identities Premium.

Agent risk (Preview)

Risk signals specific to AI agent identities — compromised agents, anomalous agent behavior.

Insider risk

Signals from Microsoft Purview Adaptive Protection based on user behavior patterns, data exfiltration indicators, and anomaly detection. Requires Purview license.

PURVIEW

Grant control logic:

Select "Require ALL" (AND) or "Require ONE" (OR). Default is AND. Example: Require MFA AND compliant device, or Require MFA OR approved client app. E5 adds "Require password change" for automated risk remediation.

Block Access

Deny all access when conditions match

Block access

The most restrictive control. Completely prevents access. Overrides all other grant controls. Available in both E3 and E5.

Authentication Controls

Verify identity before access

Require multifactor authentication

Must complete MFA via Authenticator, FIDO2 key, phone, etc.

Require authentication strength

Enforce specific methods: phishing-resistant only (FIDO2, Windows Hello, certificate-based auth). Built-in or custom strengths.

E5 adds

Require password change

Force password change via SSPR when user risk is detected. Must target All resources. Cannot combine with other grant controls. Enables automated self-remediation for compromised accounts.

Device Controls

Enforce device trust and management

Require device to be marked as compliant

Device must meet Intune compliance policies. Supports Windows 10+, iOS, Android, macOS, Linux (Ubuntu). InPrivate Edge counts as non-compliant.

Require Entra hybrid joined device

Device must be joined to on-prem AD and registered in Entra ID. For domain-joined Windows devices in hybrid environments.

App & Compliance Controls

App-level access requirements

Require approved client app

Must use a Microsoft-approved mobile app (Outlook, Teams, etc.). Requires broker app (Authenticator / Company Portal).

Require app protection policy

App must have Intune app protection policy applied (MAM) before granting access.

Require terms of use

User must accept a Terms of Use document. Supports scheduled re-acceptance and per-device consent.

Sign-in Frequency

Re-authentication timing

Custom time period (hours / days)

Set re-authentication interval. Applies to OAuth 2.0 / OIDC apps (Microsoft 365, Teams web, etc.).

Every time

Force re-authentication on every access attempt. Used for high-security scenarios and risk remediation.

Browser & Token Controls

Session persistence and token binding

Persistent browser session

Always persistent or never persistent. Overrides the "Stay signed in?" KMSI prompt.

Token protection (Preview)

Binds tokens to the device they were issued to. Prevents token theft and replay attacks.

Continuous access evaluation (CAE)

Auto-enabled. Revokes access in near real-time on critical events: account disabled, password changed, admin revoke. Can customize or disable per policy.

Disable resilience defaults

During outages, deny access when sessions expire instead of extending them.

Application Enforced Restrictions

Pass device info to cloud apps

App enforced restrictions

Passes device compliance / join state to SharePoint and Exchange Online. Unmanaged devices get limited web-only access: no download, no sync, no print. E3-native.

Conditional Access App Control

Real-time session proxy — E5 / Defender for Cloud Apps

Reverse proxy session monitoring

Routes user sessions through Defender for Cloud Apps proxy for real-time inspection. Monitors all browser-based app activity with detailed audit logs.

Block / protect downloads

Block download of sensitive files from unmanaged devices, or force label + encryption on download via Purview Information Protection.

Block copy / cut / print

Prevent data exfiltration by blocking clipboard and print operations on sensitive documents in-session.

Block upload of unlabeled / malicious files

Prevent upload of files without sensitivity labels. Scan uploads against Microsoft Threat Intelligence for malware.

Block custom activities

Scan and block sensitive content in app-specific actions (e.g., Teams/Slack messages with sensitive data).

Require step-up auth for sensitive actions

Re-evaluate CA policies mid-session when a sensitive action occurs (download, share, etc.).

Global Secure Access

Network security integration — add-on

Security profile integration

Combines identity-aware CA with network-level enforcement via Microsoft Entra Internet Access (SSE). Applies web content filtering, traffic forwarding, and network DLP.

GSA ADD-ON

Identity Protection is E5 / Entra ID P2 only.

This is the single biggest security upgrade from E3 to E5. Identity Protection uses ML models trained on trillions of Microsoft sign-in signals to detect compromised accounts, suspicious behavior, and attack patterns in real-time. E3 cannot use any risk conditions — it can only enforce static rules.

Understanding detection timing:

Each risk detection runs at a specific timing — this determines when it can trigger a Conditional Access policy and how quickly you'll see it in reports.

Real-timeDuring sign-in

Evaluated as the authentication happens. Can block or challenge a sign-in before the user gains access. Appears in reports within 5–10 minutes. This is the most protective — Conditional Access policies act immediately.

OfflineAfter sign-in

Calculated after authentication completes, using larger signal volumes that require more processing time. Takes up to 48 hours to surface. The sign-in was already allowed — but the user's risk level is updated retroactively, and CA policies enforce on the next sign-in.

BothEither mode

Can fire during the sign-in or after it, depending on available signals. When triggered in real-time, CA policies act immediately. When triggered offline, the risk level updates retroactively and enforces on the next authentication attempt.

Sign-in Risk Detections

Evaluate each authentication attempt. Can trigger MFA or block in real-time.

Click any detection to see its definition

Detection	Timing	License
Anonymous IP address	Real-time	Free
Sign-in from an anonymous IP address (e.g., Tor browser, anonymizer VPNs). These addresses are often used to hide sign-in telemetry for potentially malicious intent.
Microsoft Entra threat intelligence	Both	Free
User activity that is unusual for the given user or matches known attack patterns based on Microsoft's internal and external threat intelligence sources.
Unfamiliar sign-in properties	Real-time	P2
Sign-in with properties (IP, ASN, location, device) not seen recently for the user. The system learns a user's typical sign-in behavior and flags deviations.
Verified threat actor IP	Real-time	P2
Sign-in from an IP address known to be associated with nation-state actors or cyber crime groups, as identified by the Microsoft Threat Intelligence Center (MSTIC).
Password spray	Both	P2
The user's password was correctly identified in a password spray attack — where multiple accounts are targeted in parallel with commonly used passwords in a brute-force pattern.
Anomalous token	Both	P2
Abnormal characteristics detected in a session or refresh token, such as unusual token lifetime or a token played from an unfamiliar location. May indicate token theft and replay.
Atypical travel	Offline	P2
Two sign-ins originating from geographically distant locations where the travel time between them would be atypical for the user, suggesting possible credential sharing or compromise.
Impossible travel	Offline	P2
Two sign-ins from geographically distant locations within a time period shorter than physically possible travel. Detected using Microsoft Defender for Cloud Apps data.
New country	Offline	P2
Sign-in from a new and infrequent location that the user has not recently visited. Evaluated based on past activity geography using Defender for Cloud Apps data.
Malicious IP address	Offline	P2
Sign-in from an IP address with a high failure rate due to invalid credentials, or from an IP known to have malicious reputation across Microsoft's threat intelligence.
Suspicious browser	Offline	P2
Anomalous sign-in activity across multiple tenants from different countries in the same browser session, potentially indicating a browser hijack or use of a malicious browser tool.
Suspicious inbox forwarding	Offline	P2
Suspicious email forwarding rules detected — for example, a rule that forwards a copy of all email to an external address. Detected via Defender for Cloud Apps.
Suspicious inbox manipulation rules	Offline	P2
Suspicious inbox rules that delete or move messages and folders were detected, potentially an attempt to hide evidence of a compromised mailbox. Uses Defender for Cloud Apps.
Mass access to sensitive files	Offline	P2
A user accessed an unusually high number of files labeled as sensitive in SharePoint Online or OneDrive for Business. Detected via Microsoft Defender for Cloud Apps.
Token issuer anomaly	Offline	P2
The SAML token issuer for the associated token may be compromised. The claims in the token are unusual or match known attacker patterns for the issuer.
Activity from anonymous IP	Offline	P2
User activity detected from an IP address that has been identified as an anonymous proxy IP address, using data from Microsoft Defender for Cloud Apps.

User Risk Detections

Cumulative signals that an identity may be compromised. Can force password change.

Click any detection to see its definition

Detection	Timing	License
Leaked credentials	Offline	Free
The user's valid credentials (username and password pair) were found exposed on the dark web, paste sites, or other underground sources. Triggers an immediate risk elevation.
Microsoft Entra threat intelligence	Both	Free
User activity that is unusual for the given user or matches known attack patterns based on Microsoft's internal and external threat intelligence sources.
Anomalous token	Both	P2
Abnormal characteristics detected in a session or refresh token, such as unusual token lifetime or a token played from an unfamiliar location. May indicate token theft and replay.
Anomalous user activity	Offline	P2
Baselines normal administrative behavior in Microsoft Entra ID and detects anomalous patterns such as suspicious changes to the directory, unusual enumeration, or atypical admin actions.
Attacker in the Middle	Offline	P2
An authentication session was linked to a malicious reverse proxy, allowing the attacker to intercept credentials and tokens in real time. Detected via Defender for Cloud Apps.
Possible PRT access attempt	Offline	P2
Detected an attempt to access the Primary Refresh Token (PRT) — the key credential for single sign-on on Windows, iOS, and Android. May indicate lateral movement or credential theft via Defender for Endpoint.
Suspicious API traffic	Offline	P2
Abnormal Microsoft Graph API traffic or directory enumeration activity detected from the user's account, suggesting the identity may be compromised and used for reconnaissance.
Suspicious sending patterns	Offline	P2
Suspicious email-sending behavior detected from the user's mailbox, which may risk the account being restricted. Uses data from Microsoft Defender for Office 365.
User reported suspicious activity	Offline	P2
A user denied an MFA prompt and reported it as suspicious via the Microsoft Authenticator app, indicating someone else may have the user's credentials and is attempting to authenticate.

Privileged Identity Management (PIM)

Just-in-time admin access — E5 / P2

Just-in-time role activation

Admins must activate privileged roles on-demand rather than having standing access. Time-limited (e.g., 4-8 hours) with automatic expiration.

Approval workflows

Require another admin to approve role activation for the most sensitive roles (Global Admin, etc.).

CA integration via authentication context

Require step-up authentication (e.g., phishing-resistant MFA + compliant device) specifically when activating a PIM role. Links PIM to Conditional Access.

PIM for Groups

Extend just-in-time access to security group memberships and ownership, not just admin roles.

Access Reviews & Governance

Automated access certification — E5 / P2

Recurring access reviews

Schedule periodic reviews of group memberships, app assignments, and role assignments. Auto-remove access if not re-certified.

Entitlement management

Bundle resources into access packages with approval workflows, automatic expiration, and self-service request portal.

Self-remediation for risky users

Users flagged by Identity Protection can self-remediate (change password, complete MFA) without admin intervention. Reduces helpdesk load.

Interactive Policy Evaluation Pipeline. Click any stage to expand and see every component evaluated at that step. Signals flow left-to-right through the engine. Green items are available in E3, amber items require E5.

Signals

6 signal types

User identity
User, group membership, directory role, guest/external status

Target resource
Cloud app, user action (register security info), or authentication context

Network location
IP ranges (named locations), country/region, compliant network (GSA)

Device state
Platform (iOS, Android, Windows, macOS, Linux), client app type, device filter rules

E5 adds

Risk signals
Sign-in risk level, user risk level, service principal risk — all ML-driven via Identity Protection

Workload & agent identities
Service principals, app registrations, and AI agent workloads with dedicated risk signals

Conditions

9 condition types

Device platform
Match on Android, iOS, Windows, macOS, Linux — include or exclude

Location
Include/exclude named IP ranges and countries. Trusted vs. untrusted network zones.

Client app type
Browser, mobile/desktop app, Exchange ActiveSync, other (legacy) clients

Filter for devices
Rule expressions on device properties: OS version, trust type, manufacturer, extension attributes

Authentication flow
Block or control device code flow and authentication transfer (Preview)

E5 adds

Sign-in risk level
Low / Medium / High — ML-scored probability the auth request is illegitimate (impossible travel, password spray, anomalous token, etc.)

User risk level
Cumulative compromise score aggregating leaked credentials, anomalous activity, attacker-in-the-middle

Service principal risk
Anomalous credential usage for non-human workload identities (requires Workload Identities Premium)

Insider risk
Signals from Microsoft Purview Adaptive Protection — behavior patterns and data exfiltration indicators

Decision

3 outcomes

Block access
Deny all access. Most restrictive — overrides all other controls.

Grant access
Allow access unconditionally (no additional controls required).

Grant with controls
Allow access only if the user satisfies one or more grant controls (MFA, compliant device, etc.). Multiple controls can be ANDed or ORed.

Grant Controls

8 controls

Require MFA
Must complete multi-factor authentication via Authenticator, FIDO2 key, phone, etc.

Require authentication strength
Enforce specific methods: phishing-resistant only (FIDO2, Windows Hello, certificate-based). Built-in or custom.

Require compliant device
Device must meet Intune compliance policies. Supports Windows, iOS, Android, macOS, Linux.

Require hybrid joined device
Device must be joined to on-prem AD and registered in Entra ID.

Require approved client app
Must use a Microsoft-approved mobile app. Requires broker (Authenticator / Company Portal).

Require app protection policy
App must have Intune MAM policy applied before granting access.

Require terms of use
User must accept a Terms of Use document. Supports scheduled re-acceptance.

E5 adds

Require password change
Force password change via SSPR when user risk is detected. Must target All resources. Cannot combine with other controls.

Session Controls

10 controls

Sign-in frequency
Set re-authentication interval (hours/days) or force re-auth every time.

Persistent browser session
Always persistent or never persistent. Overrides the KMSI prompt.

App enforced restrictions
Passes device state to SharePoint/Exchange for limited web-only access on unmanaged devices.

Continuous access evaluation
Revokes access in near real-time on critical events: account disabled, password changed, admin revoke.

Token protection (Preview)
Binds tokens to the issuing device. Prevents token theft and replay attacks.

Disable resilience defaults
During outages, deny access when sessions expire instead of extending.

E5 adds

CA App Control (reverse proxy)
Routes sessions through Defender for Cloud Apps for real-time inspection and enforcement.

Block downloads / copy / print
In-session DLP: prevent data exfiltration via clipboard, download, and print operations.

Block malware uploads
Scan uploads against Microsoft Threat Intelligence. Block unlabeled files.

Step-up auth for sensitive actions
Re-evaluate CA policies mid-session when a sensitive action occurs (download, share, etc.).

Final outcomes

Access Blocked

Request denied entirely. User cannot access the resource. Logged in sign-in logs with failure reason.

Full Access Granted

All grant controls satisfied. User gets full access to the resource with any applicable session controls active.

Limited / Monitored Access

Access granted with session restrictions: limited web-only mode, proxied through Defender, sign-in frequency enforced, or token-bound to device.

Policy evaluation order:

When multiple CA policies apply to a sign-in, ALL matching policies are enforced (most restrictive wins). Block always overrides grant. Grant controls from multiple policies are combined — if any policy requires MFA and another requires a compliant device, both must be satisfied. Report-only policies are logged but not enforced.

Recommended Conditional Access Policies

Based on Microsoft's Zero Trust framework. Policies are ordered by protection tier: starting point (E3), enterprise (E3+E5), and specialized security (E5).

Policy	Conditions	Controls	Tier
Require MFA for all users	All users, All cloud apps	Require MFA	E3
Require phishing-resistant MFA for admins	Admin directory roles, All cloud apps	Require auth strength: phishing-resistant	E3
Block legacy authentication	All users, Client apps = Other clients / EAS	Block access	E3
Require MFA for Azure management	All users, App = Azure Management	Require MFA	E3
Require compliant or hybrid joined device	All users, All cloud apps	Compliant device OR Hybrid joined device	E3
Require approved apps on mobile	All users, Platforms = iOS / Android	Approved client app OR App protection policy	E3
Block from untrusted countries	All users, Location = non-allowed countries	Block access	E3
Restrict unmanaged devices on SPO/EXO	All users, App = SharePoint / Exchange	Session: App enforced restrictions	E3
Require MFA for security info registration	All users, Action = Register security info, Exclude trusted locations	Require MFA	E3
Block device code flow	All users (excl. specific), Auth flow = Device code	Block access	E3
Require MFA for medium+ sign-in risk	All users, Sign-in risk = Medium, High	Require MFA	E5
Require password change for high user risk	All users, User risk = High, All resources	Require password change + MFA	E5
Block high-risk sign-ins for admins	Admin roles, Sign-in risk = High	Block access	E5
Proxy sensitive apps via Defender for Cloud Apps	All users, App = sensitive SaaS apps	Session: CA App Control (Monitor + block downloads)	E5
Block risky service principals	Workload identities, Service principal risk = High	Block access	E5
Require phishing-resistant MFA for PIM activation	Admin roles, Auth context = PIM activation	Require auth strength: phishing-resistant + compliant device	E5

Always exclude emergency (break-glass) accounts.

Create at least two cloud-only emergency accounts excluded from all CA policies. Use long complex passwords, no MFA, stored offline. Monitor sign-in logs for any use of these accounts.

E3 vs E5 — Complete Conditional Access Feature Comparison

E3 includes Entra ID P1. E5 includes Entra ID P2 + Defender for Cloud Apps + Microsoft Purview. P2 features can be added to E3 as standalone add-ons.

Capability	E3	E5	What E5 adds
Core Policy Engine
Conditional Access engine	✓	✓	Same engine, same if/then logic
Report-only mode	✓	✓	—
Policy templates	✓	✓	—
Soft delete & restore (Preview)	✓	✓	—
Signals & Conditions
Users, groups, directory roles	✓	✓	—
Device platform conditions	✓	✓	—
Location conditions (IP, country)	✓	✓	—
Client app conditions	✓	✓	—
Filter for devices	✓	✓	—
Auth flow control (Preview)	✓	✓	—
Authentication context	✓	✓	E5 links it to PIM role activation
Sign-in risk condition	✗	✓	ML-driven: 16+ detection types
User risk condition	✗	✓	Cumulative identity compromise score
Service principal risk	✗	✓	Workload identity risk detection
Workload identity policies	✗	✓	CA for service principals
Grant Controls
Require MFA	✓	✓	—
Require authentication strength	✓	✓	—
Require compliant device	✓	✓	—
Require hybrid joined device	✓	✓	—
Require approved client app	✓	✓	—
Require app protection policy	✓	✓	—
Require terms of use	✓	✓	—
Require password change	✗	✓	Auto-remediation for compromised users
Session Controls
Sign-in frequency	✓	✓	—
Persistent browser session	✓	✓	—
App enforced restrictions	✓	✓	—
Continuous access evaluation	✓	✓	E5 adds CAE for workload identities
Token protection (Preview)	✓	✓	—
CA App Control (reverse proxy)	✗	✓	Real-time session monitoring via Defender
Block downloads / copy / print	✗	✓	In-session DLP enforcement
Block malware uploads	✗	✓	Threat Intelligence file scanning
Identity Protection & Governance
Identity Protection dashboard	✗	✓	Risky users, risky sign-ins, risk detections
Privileged Identity Management	✗	✓	Just-in-time admin access with approval
Access reviews	✗	✓	Automated access re-certification
Entitlement management	✗	✓	Self-service access packages
Workload identity protection	✗	✓	Risk detection for service principals

Licensing strategy:

E3 orgs can add P2 features selectively without full E5. Options: "Entra ID P2" standalone ($9/user/month), "M365 E5 Security" add-on, or "M365 E5 Compliance" add-on. Only users who benefit from P2 features need P2 licenses — you can mix P1 and P2 within the same tenant. However, Conditional Access policies themselves apply tenant-wide regardless of which users hold which licenses.

The fundamental shift from E3 to E5:

E3 gives you a robust rule-based policy engine — you define the conditions manually. E5 makes the system adaptive: ML-driven risk signals, automated remediation, real-time session inspection, and governance automation. The jump isn't just more features — it's a different security model. E3 is "configure and enforce." E5 is "detect, adapt, and respond."