top of page
Search

Azure Identity Lab: Securing Users with Conditional Access & MFA (Entra ID P2)

Updated: Nov 27

Azure Identity logo.

In this blog:


Part of my 4-week Azure Security Lab Series


Identity is the foundation of cloud security, and this week I focused on building a realistic hands-on setup to learn how Microsoft Entra ID enforces secure access through users, groups, MFA, and Conditional Access policies.


Unlike networking labs, identity labs don’t require much infrastructure — but they do require premium features. To complete this lab, I activated the Microsoft Entra ID P2 free trial so I could explore Conditional Access and Privileged Identity Management.


sfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdf

🆕 Enabling the Entra ID P2 Free Trial


WARNING

🔐 Privileged Identity Management (PIM) → Requires P2

🔐 Identity Protection → Requires P2


These are paid licenses, but Entra ID gives you a free 30-day P2 trial, and you can activate it once per tenant.


This trial unlocks:


  • Conditional Access

  • PIM

  • Risk-based policies

  • Identity Protection

  • Access Reviews

  • All advanced identity features for AZ-500 labs


👉 Enable the Entra ID P2 trial (free)


Azure Portal → Entra ID → Licenses → Activate “Entra ID P2 free trial”.


Just follow the on-screen wizard and set it up with your card details – You will not be billed until the 30 day trial is over, before which you can just cancel like any free trial.

Activating P2 license image.
Activating P2 License.

I am now in a new Entra Identity Tenant inside Microsoft 365 Admin Center -- I switched into the P2 tenant to begin the identity labs:

Microsoft 365 Admin Centre.
Microsoft 365 Admin Centre.

👤 Step 1 — Creating Test Users


I created three users to simulate real identity scenarios:

User

Purpose

Alice Admin

Will manage PIM and Conditional Access

Bob User

Test user to validate MFA & policy enforcement


Created via: Entra ID → Users → New User

Passwords set as temporary (changed at first login).


Creating Alice (Admin user).
Creating Alice (Admin user).

Assigning Roles

Alice requires elevated permissions:

Entra ID → Roles & Administrators → Global Administrator → Add Assignment

Adding Elevated privileges to Alice's account.
Adding Elevated privileges to Alice's account.
Adding Elevated privileges to Alice's account.
Adding Elevated privileges to Alice's account.

Bob remains as a standard user -- Create his account in the same way, just without the elevated role assignments.


Ignore Charlie, as he was created for a different lab.


Your user list should now look similar to this:

User list.
User list.

👥 Step 2 — Creating a Security Group


Group: SecOps-Test-Users


  • Type: Security

  • Membership: Assigned

  • Members: Bob User

  • Alice remains separate for admin tasks.


Created via: Entra ID → Groups → New group

Creating a new security group.
Creating a new security group.

🌍 Step 3 — Set Usage Location (Important)


Before assigning licenses, each user must have a Usage Location set:

If you skip this step, assigning licenses will fail.


Entra ID → Users → Bob → Edit properties → Usage Location → United Kingdom Repeat for Alice.

Setting usage location.
Setting usage location.

🪪 Step 4 — Assign Entra ID P2 Licenses to Users


In the Microsoft 365 Admin Center:


Billing → Licenses → Entra ID P2 → Assign users


I assigned Alice and Bob only.

Assigning the license to Alice and Bob.
Assigning the license to Alice and Bob.

🔐 Step 5 — Sign in as Alice (Admin) & Configure Conditional Access


I opened an incognito window and logged into the Azure portal using Alice’s credentials. Since it was her first login, I:


  • Changed her temporary password

  • Registered the Microsoft Authenticator app


Disable Security Defaults

Conditional Access cannot be enabled until defaults are disabled:

Entra ID → Properties → Manage Security Defaults → Disable

Disabling security defaults.
Disabling security defaults.

🚧 Step 6 — Create the MFA Conditional Access Policy


Now the main part of the lab.

Navigate to: Entra ID → Protection → Conditional Access → New policy


Assignments

Users → Include: All users

Exclude:

  • Alice (current admin)

  • Your main admin account(Prevents accidental tenant lockout)

Conditional Access Policy configuration of users.
Conditional Access Policy configuration of users.

Target Resources

Selected All Resources (previously “All Cloud Apps”).

You’ll see a warning — this is normal when targeting sensitive admin resources.

Conditional Access Policy configuration of target resources.
Conditional Access Policy configuration of target resources.

Grant Controls

  • Grant access

  • Require multifactor authentication

Grant access and enforce MFA.
Grant access and enforce MFA.

Enable Policy → ON

Policy goes live instantly.

📲 Step 7 — Test the Policy (Bob User)


I logged in as Bob in a separate browser.

This time, Bob was immediately required to:


☑️ Approve sign-in using Microsoft Authenticator

☑️ Complete MFA registration

☑️ Proceed into the Azure portal only after MFA


Azure portal sign in page.
Azure portal sign in page.
Azure portal password prompt.
Azure portal password prompt.
Azure portal MFA prompt.
Azure portal MFA prompt.

This confirms Conditional Access + MFA enforcement is working.


Optional Extensions:

You can further experiment with:

  • Blocking access from unknown locations

  • Requiring compliant devices

  • Session controls (persistent browser sessions)

✅ End of the Conditional Access Lab


We now have:

  • A test tenant

  • Multiple users

  • A security group

  • MFA enforced via Conditional Access

  • Admin access separated from standard user access


This forms the foundation for the PIM (Privileged Identity Management) lab, which I documented separately.


Next up in the Identity series: Privileged Identity Management (PIM).


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
  • GitHub
  • Twitter
  • LinkedIn
bottom of page