Conditional Access Analyzer
Conditional Access is the authentication and authorization gate every user passes through before reaching your data. Export and analyze your Entra ID Conditional Access policies to surface coverage gaps in the controls protecting your Microsoft Purview data stores.
Why This Belongs in Purview
Microsoft Purview secures what lives in your data stores — DLP policies, sensitivity labels, and information barriers define the rules. Conditional Access secures who can get in the door. A perfectly tuned DLP policy provides no protection if an attacker or an unmanaged device can authenticate into SharePoint Online or the Purview compliance portal without MFA.
Reviewing CA coverage is therefore a prerequisite for any serious data protection posture — not a separate identity task. Gaps in CA policy directly translate to gaps in your Purview deployment.
What to Check
Purview & Compliance Portal
The Microsoft Purview compliance portal and Defender portal should require MFA and a compliant or Hybrid Azure AD-joined device. Admins with access to DLP, labels, and eDiscovery are high-value targets.
SharePoint Online & OneDrive
These are the primary data stores for labeled content. CA policies should enforce MFA and, where appropriate, block downloads to unmanaged devices using App-enforced restrictions.
Legacy Authentication Protocols
SMTP, IMAP, POP3, and older Office clients bypass MFA entirely. A dedicated block-legacy-auth policy is one of the highest-impact CA controls you can enable.
External & Guest Users
Guest users often fall outside default CA scope. Verify that your B2B collaboration policies apply appropriate MFA and session controls before guests can access shared labeled content.
Service Account Exclusions
Service accounts excluded from CA policies for operational reasons create exploitable gaps. Each exclusion should be documented and time-limited where possible.
Sign-in Risk & Location
Policies that require step-up authentication on risky sign-ins (Entra ID P2) or block known-bad locations add a layer of defense even when credentials are compromised.
About the CA Export Tool
The CA Export tool is a PowerShell-based utility that connects to your Entra ID tenant, exports all Conditional Access policies, and produces a structured report you can use to audit coverage against your Purview-protected workloads. It gives you a clear picture of which apps, users, and sign-in conditions are — and are not — governed by a CA policy.